Debian Spip vulnerabilities

CVE-2026-27475 [CRITICAL] CVE-2026-27475: spip - SPIP before 4.4.9 allows Insecure Deserialization in the public area through the... SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use o

CVE-2026-22206 [HIGH] CVE-2026-22206: spip - SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows ... SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server. Scope: local bullseye: open forky: resolved (fi

CVE-2026-22205 [HIGH] CVE-2026-22205: spip - SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability cau... SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data. Scope: local bullseye: open forky: resolved (fixed in 4.4.1

CVE-2026-26345 [HIGH] CVE-2026-26345: spip - SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in ... SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The inject

CVE-2026-27473 [MEDIUM] CVE-2026-27473: spip - SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites ... SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details. Scope: local bullse

CVE-2026-27474 [MEDIUM] CVE-2026-27474: spip - SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complem... SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security scre

CVE-2026-27472 [MEDIUM] CVE-2026-27472: spip - SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated... SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitiga

CVE-2026-33549 [MEDIUM] CVE-2026-33549: spip - SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment ... SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling. Scope: local bullseye: open forky: resolved (fixed in 4.4.13+dfsg-1) sid: resolved (fixed in 4.4.13+dfsg-1) trixie: resolved (fixed in 4.4.13+dfsg-0+deb13u1)

CVE-2026-26223 [MEDIUM] CVE-2026-26223: spip - SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via mali... SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP secu

CVE-2025-71242 [MEDIUM] CVE-2025-71242: spip - SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in ... SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.

CVE-2025-71240 [MEDIUM] CVE-2025-71240: spip - SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML... SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser. Scope: local bullseye: open forky: resolved (fixed in 4.3.0+dfsg-1) sid: resolved (fixed in 4.3.0+dfsg-1) trixie: resolved

CVE-2025-71241 [MEDIUM] CVE-2025-71241: spip - SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the p... SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen. Scope: local bullseye: open forky: resolved (fixed in 4.3.6+dfsg-1) si

CVE-2025-71244 [MEDIUM] CVE-2025-71244: spip - SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used... SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security

CVE-2024-8517 [CRITICAL] CVE-2024-8517: spip - SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issu... SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request. Scope: local bullseye: resolved forky: resolved (fixed in 4.3.2+dfsg-1) sid: resolved (fixed in 4.3.2+dfsg-1) trixie: resolved (fixed in 4.3.2+d

CVE-2024-7954 [CRITICAL] CVE-2024-7954: spip - The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vu... The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. Scope: local bullseye: resolved forky: resolved (fixed in 4.3.0+dfsg-1) sid: resolved (fixed in 4.3.0+dfsg-1) trixie:

CVE-2024-23659 [MEDIUM] CVE-2024-23659: spip - SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded... SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js. Scope: local bullseye: resolved forky: resolved (fixed in 4.1.15+dfsg-1) sid: resolved (fixed in 4.1.15+dfsg-1) trixie: resolved (fixed in 4.1.15+dfsg-1)

CVE-2023-24258 [CRITICAL] CVE-2023-24258: spip - SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability ... SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request. Scope: local bullseye: resolved (fixed in 3.2.11-3+deb11u6) forky: resolved (fixed in 4.1.7+dfsg-1) sid: resolved (fixed in 4.1.7+dfsg-1) trixie: resolved (fixed in 4.1.7+d

CVE-2023-27372 [CRITICAL] CVE-2023-27372: spip - SPIP before 4.2.1 allows Remote Code Execution via form values in the public are... SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. Scope: local bullseye: resolved (fixed in 3.2.11-3+deb11u7) forky: resolved (fixed in 4.1.8+dfsg-1) sid: resolved (fixed in 4.1.8+dfsg-1) trixie: resolved (fixed in 4.1.8+dfsg-1)

CVE-2023-52322 [MEDIUM] CVE-2023-52322: spip - ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows ... ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics. Scope: local bullseye: resolved (fixed in 3.2.11-3+deb11u10) forky: resolved (fixed in 4.1.13+dfsg-1) sid: resolved (fixed in 4.1.13+dfsg-1) trixie: resolved (fixed in 4.1.13+dfsg-1)

CVE-2023-53900 [NONE] CVE-2023-53900: spip - Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload... Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering. Scope: local bullseye: open forky: open sid: open trixie: open