What is the CVSS score of CVE-2026-27472?

CVE-2026-27472 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Spip are affected by CVE-2026-27472?

Organizations using SPIP before 4.4.9 should be aware of moderate risk from CVE-2026-27472, a server-side request forgery vulnerability rated CVSS 4.3.

Spip CVE-2026-27472

MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-02-19 disclosure@vulncheck.com

SSRF Spip

4.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 19, 2026 - 19:22 nvd

MEDIUM 4.3

DescriptionCVE.org

SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.

AnalysisAI

SPIP versions prior to 4.4.9 contain a blind server-side request forgery vulnerability in the syndication feature that allows authenticated users to manipulate the application into making arbitrary network requests to internal or external systems. An attacker with valid credentials can exploit this by crafting malicious syndication URLs during site editing, bypassing the security filter mechanisms. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 4.3 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27472 vulnerability details – vuln.today

Back

Spip CVE-2026-27472

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code