CVE-2026-27475
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.
Analysis
Arbitrary code execution in SPIP before 4.4.9 through insecure deserialization of untrusted serialized objects in the table_valeur filter and DATA iterator. An attacker with prior access or leveraging a separate vulnerability to inject malicious serialized data can trigger arbitrary object instantiation and achieve remote code execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all SPIP installations and document their versions and internet exposure; immediately restrict public access to affected instances via WAF rules or network segmentation if possible. Within 7 days: Implement input validation rules blocking serialized PHP objects in the table_valeur filter and DATA iterator parameters; monitor logs for exploitation attempts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today