CVE-2026-27475

SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html	Vendor Advisory Release Notes
https://git.spip.net/spip/spip	Product
https://www.vulncheck.com/advisories/spip-insecure-deserialization	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*

History

24 Feb 2026, 19:37

Type	Values Removed	Values Added
CWE		CWE-502
CPE		cpe:2.3:a:spip:spip::::::::
Summary		(es) SPIP anterior a 4.4.9 permite la deserialización insegura en el área pública a través del filtro table_valeur y el iterador DATA, que aceptan datos serializados. Un atacante que puede colocar contenido serializado malicioso (una precondición que requiere acceso previo u otra vulnerabilidad) puede desencadenar la instanciación arbitraria de objetos y potencialmente lograr la ejecución de código. El uso de datos serializados en estos componentes ha sido desaprobado y será eliminado en SPIP 5. Esta vulnerabilidad no es mitigada por la pantalla de seguridad de SPIP.
First Time		Spip spip Spip
References	~~() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html -~~	() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html - Vendor Advisory, Release Notes
References	~~() https://git.spip.net/spip/spip -~~	() https://git.spip.net/spip/spip - Product
References	~~() https://www.vulncheck.com/advisories/spip-insecure-deserialization -~~	() https://www.vulncheck.com/advisories/spip-insecure-deserialization - Third Party Advisory

19 Feb 2026, 19:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-19 19:22

Updated : 2026-02-24 19:37

NVD link : CVE-2026-27475

Mitre link : CVE-2026-27475

CVE.ORG link : CVE-2026-27475

JSON object : View

Products Affected

spip

spip

CWE

CWE-502

Deserialization of Untrusted Data

8.1 /10