216.73.216.233

CVE-2026-27475

· Published 19/02/2026 19:22 · Modified 20/02/2026 13:49

Labels: CVE-2026-27475 2026-02-19CVE-2026-27475[email protected]

Essential information

Published
19/02/2026 19:22
Modified
20/02/2026 13:49
Author
Creator
CVSS
9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
spip / spip cpe:2.3:a:spip:spip:<4.4.9:*:*:*:*:*:*:*

References