What is the CVSS score of CVE-2026-33549?

CVE-2026-33549 has a CVSS 3.1 base score of 6.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Spip are affected by CVE-2026-33549?

Organizations using SPIP 4.4.10 through 4.4.12 before 4.4.13 should be aware of notable risk from CVE-2026-33549 rated CVSS 6.7. Exploitation could compromise the security of affected deployments.. A patch is available.

Spip CVE-2026-33549

EUVD-2026-14268 MEDIUM

Function Call With Incorrect Variable or Reference as Argument (CWE-688)

2026-03-22 mitre

GHSA-x592-5gwh-wjg9

Information Disclosure Spip

6.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.7 MEDIUM

AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 22, 2026 - 02:30 euvd

EUVD-2026-14268

Analysis Generated

Mar 22, 2026 - 02:30 vuln.today

CVE Published

Mar 22, 2026 - 02:03 nvd

MEDIUM 6.7

DescriptionCVE.org

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.

AnalysisAI

SPIP versions 4.4.10 through 4.4.12 contain a privilege escalation vulnerability that allows authenticated users with limited permissions to assign administrator privileges to themselves or other accounts through improper handling of the STATUT field during author data structure editing. An attacker with login credentials and user interaction can exploit this to gain full administrative control, leading to complete compromise of the CMS instance. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents moderate-to-high real-world risk despite a CVSS score of 6.7. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated regular user or editor account gains access through credential compromise or social engineering. The attacker navigates to their author profile edit page and modifies the STATUT field to an administrator value, bypassing validation checks due to improper input handling. …
Remediation	Immediately upgrade SPIP to version 4.4.13 or later, which contains the fix for STATUT field validation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

spip

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	3.2.11-3+deb11u10	-
bullseye (security)	vulnerable	3.2.11-3+deb11u7	-
trixie	fixed	4.4.13+dfsg-0+deb13u1	-
trixie (security)	fixed	4.4.13+dfsg-0+deb13u1	-
forky, sid	fixed	4.4.13+dfsg-1	-
(unstable)	fixed	4.4.13+dfsg-1	-

DSA-6174-1

CVE-2026-33549 vulnerability details – vuln.today

Back

Spip CVE-2026-33549

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Debian

Share

External POC / Exploit Code