8.8

CVE-2026-33549

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SpipSpip Version >= 4.4.10 < 4.4.13
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.147
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cve@mitre.org 6.7 1.2 5.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
CWE-688 Function Call With Incorrect Variable or Reference as Argument

The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-13.html?lang=fr
Patch
Release Notes
https://git.spip.net/spip/prive/-/merge_requests/131
Patch
Issue Tracking
https://git.spip.net/spip/prive/-/commit/b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e
Patch