CVE-2026-8429
published 2026-05-12CVE-2026-8429: SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.50%
39.1th percentile
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spip | spip | < 4.4.14 | 4.4.14 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pgpj-4fv5-cq78: SPIP versions prior to 4
ghsa_unreviewed·2026-05-12
CVE-2026-8429 [HIGH] CWE-94 GHSA-pgpj-4fv5-cq78: SPIP versions prior to 4
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
VulDB
SPIP up to 4.4.13 code injection
vuldb·2026-05-12
CVE-2026-8429 [CRITICAL] SPIP up to 4.4.13 code injection
A vulnerability was found in SPIP up to 4.4.13. It has been classified as critical. The affected element is an unknown function. The manipulation leads to code injection.
This vulnerability is uniquely identified as CVE-2026-8429. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-12
Published