Spip

Spip

76 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.7

CVE-2026-33549

  • EPSS 0.04%
  • Veröffentlicht 22.03.2026 02:03:47
  • Zuletzt bearbeitet 23.03.2026 14:31:37

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.

7.5

CVE-2026-22205

  • EPSS 0.36%
  • Veröffentlicht 26.02.2026 20:18:14
  • Zuletzt bearbeitet 02.03.2026 16:08:10

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to by...

8.8

CVE-2026-22206

  • EPSS 0.19%
  • Veröffentlicht 26.02.2026 20:17:58
  • Zuletzt bearbeitet 02.03.2026 15:58:07

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combine...

8.1

CVE-2026-27475

  • EPSS 0.17%
  • Veröffentlicht 19.02.2026 18:39:24
  • Zuletzt bearbeitet 24.02.2026 19:37:54

SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access o...

6.1

CVE-2026-27474

  • EPSS 0.05%
  • Veröffentlicht 19.02.2026 18:38:57
  • Zuletzt bearbeitet 02.03.2026 15:16:36

SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an att...

6.4

CVE-2026-27473

  • EPSS 0.06%
  • Veröffentlicht 19.02.2026 18:38:26
  • Zuletzt bearbeitet 24.02.2026 19:44:24

SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to...

4.3

CVE-2026-27472

  • EPSS 0.05%
  • Veröffentlicht 19.02.2026 18:38:02
  • Zuletzt bearbeitet 24.02.2026 19:45:15

SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated atta...

6.1

CVE-2026-26223

  • EPSS 0.05%
  • Veröffentlicht 19.02.2026 15:26:05
  • Zuletzt bearbeitet 02.03.2026 15:16:35

SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. Th...

8.6

CVE-2026-26345

  • EPSS 0.05%
  • Veröffentlicht 19.02.2026 15:25:06
  • Zuletzt bearbeitet 24.02.2026 19:51:50

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authent...

8.1

CVE-2025-71250

  • EPSS -
  • Veröffentlicht 19.02.2026 14:58:20
  • Zuletzt bearbeitet 19.02.2026 19:22:28

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.