Login Sign Up

CVE-2026-27475

8.1 HIGH
Remote Code Execution Deserialization

📋 TL;DR

SPIP versions before 4.4.9 contain an insecure deserialization vulnerability in the public area through the table_valeur filter and DATA iterator. Attackers who can inject malicious serialized data (requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve remote code execution. This affects all SPIP installations using vulnerable versions with the affected components enabled.

💻 Affected Systems

Products:
  • SPIP
Versions: All versions before 4.4.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the public area, making it accessible without authentication if the attacker can inject serialized data through other means.

📦 What is this software?

Spip by Spip

View all CVEs affecting Spip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Privilege escalation from limited access to full administrative control of the SPIP application, potentially leading to website defacement or data manipulation.

🟢

If Mitigated

Limited impact if proper input validation and access controls prevent malicious serialized data injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the attacker to first inject malicious serialized data through another vulnerability or existing access, then trigger deserialization through the vulnerable components.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.9

Vendor Advisory: https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html

Restart Required: Yes

Instructions:

1. Backup your SPIP installation and database. 2. Download SPIP 4.4.9 from the official repository. 3. Replace all files with the new version. 4. Run the update script if prompted. 5. Clear caches and verify functionality.

🔧 Temporary Workarounds

Disable vulnerable filters

all

Remove or disable the table_valeur filter and DATA iterator functionality if not required.

Modify SPIP configuration to remove filter references
Comment out or delete filter registration in plugins

🧯 If You Can't Patch

  • Implement strict input validation to reject serialized data in user inputs
  • Deploy web application firewall rules to detect and block serialized data patterns

🔍 How to Verify

Check if Vulnerable:

Check SPIP version in administration panel or via version.php file

Check Version:

Check SPIP admin panel or examine ecrire/inc_version.php

Verify Fix Applied:

Confirm version is 4.4.9 or later and test that serialized data inputs are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests containing serialized data patterns
  • Errors related to deserialization or object instantiation

Network Indicators:

  • HTTP requests with serialized PHP object patterns in parameters

SIEM Query:

web_requests WHERE uri CONTAINS 'table_valeur' OR params CONTAINS 'O:' AND params CONTAINS 's:'

📊 Metadata

CVE ID: CVE-2026-27475
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: February 19, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27475, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)