CVE-2026-22206
published 2026-02-26CVE-2026-22206: SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.56%
42.4th percentile
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | spip | < spip 4.4.10+dfsg-1 (forky) | spip 4.4.10+dfsg-1 (forky) |
| spip | spip | < 4.4.10 | 4.4.10 |
| spip | spip | >= 0 < 4.4.11+dfsg-0+deb13u1 | 4.4.11+dfsg-0+deb13u1 |
| spip | spip | >= 0 < 4.4.10+dfsg-1 | 4.4.10+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target application is SPIP versions prior to 4.4.10; look for authenticated low-privilege users submitting requests containing union-based SQL injection payloads to SPIP endpoints. ↗
- →Monitor for exploitation chains combining SQL injection with PHP tag processing, which may indicate an attempt to achieve remote code execution on the SPIP server. ↗
- ·The vulnerability requires authentication as a low-privilege user; unauthenticated exploitation is not described. Scope is noted as local in the Debian tracker. ↗
- ·Debian bullseye remains unpatched (open); forky and sid are fixed in 4.4.10+dfsg-1; trixie is fixed in 4.4.11+dfsg-0+deb13u1. Prioritize patching accordingly. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-22206: spip - SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows ...
vendor_debian·2026·CVSS 8.7
CVE-2026-22206 [HIGH] CVE-2026-22206: spip - SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows ...
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
Scope: local
bullseye: open
forky: resolved (fixed in 4.4.10+dfsg-1)
sid: resolved (fixed in 4.4.10+dfsg-1)
trixie: resolved (fixed in 4.4.11+dfsg-0+deb13u1)
OSV
CVE-2026-22206: SPIP versions prior to 4
osv·2026-02-26·CVSS 8.7
CVE-2026-22206 [HIGH] CVE-2026-22206: SPIP versions prior to 4
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
GHSA
GHSA-48x6-97gc-jx62: SPIP versions prior to 4
ghsa_unreviewed·2026-02-26
CVE-2026-22206 [HIGH] CWE-89 GHSA-48x6-97gc-jx62: SPIP versions prior to 4
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
No detection rules found.
No public exploits indexed.
2026-02-26
Published