CVE-2026-27747
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query. Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges.
Analysis
SQL injection in the SPIP interface_traduction_objets plugin before version 2.2.2 allows authenticated editors to execute arbitrary database queries through unsanitized input in translation request parameters. Attackers can exploit this to read, modify, or delete database contents, or cause denial of service. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all SPIP installations and confirm which systems run the vulnerable plugin version. Within 7 days: Apply vendor patch to upgrade interface_traduction_objets plugin to version 2.2.2 or later across all affected systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today