CVE-2026-22206 — SQL Injection in Spip

CWE-89 — SQL Injection5 documents5 sources

Severity

8.7HIGHNVD

EPSS

0.2%

top 55.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedFeb 26

Description

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDspip/spip< 4.4.10

▶debiandebian/spip< spip 4.4.10+dfsg-1 (forky)

▶Debianspip/spip< 4.4.11+dfsg-0+deb13u1+1

🔴Vulnerability Details

OSV

CVE-2026-22206: SPIP versions prior to 4↗2026-02-26

▶

GHSA

GHSA-48x6-97gc-jx62: SPIP versions prior to 4↗2026-02-26

▶

📋Vendor Advisories

Debian

CVE-2026-22206: spip - SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22206 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶