CVE-2026-27745
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fields prefixed with an underscore bypass protection mechanisms and the hidden content is rendered with filtering disabled, an authenticated attacker with editor-level privileges can inject crafted content that is evaluated through SPIP's template processing chain, resulting in execution of code in the context of the web server.
Analysis
Remote code execution in SPIP's interface_traduction_objets plugin prior to version 2.2.2 allows authenticated editors to execute arbitrary code by injecting malicious content into unfiltered form fields that bypass output protection mechanisms. The vulnerability exploits how underscore-prefixed fields circumvent SPIP's security filters and are processed through the template engine without sanitization. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all SPIP instances using interface_traduction_objets plugin and document current versions. Within 7 days: Apply vendor patch to upgrade plugin to version 2.2.2 or later on all affected systems; prioritize production environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today