CVE-2023-27372

CRITICAL EXPLOITED NUCLEI

SPIP < 4.2.1 - Remote Code Execution via Form Value Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-27372 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 17 public exploits from researchers including nuts7, Chocapikk, 0SPwn, including a Metasploit module exploits/multi/http/spip_rce_form. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a PHP code injection vulnerability in SPIP's `oubli` parameter, allowing unauthenticated remote code execution via crafted serialization payloads. It bypasses CSRF protection and executes arbitrary commands with web user privileges.

Description

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Exploits (17)

exploitdb WORKING POC VERIFIED
by nuts7 · pythonwebappsphp
https://www.exploit-db.com/exploits/51536

This exploit leverages a PHP code injection vulnerability in SPIP's `oubli` parameter, allowing unauthenticated remote code execution via crafted serialization payloads. It bypasses CSRF protection and executes arbitrary commands with web user privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1 (excluding patched versions 3.2.18, 4.0.10, 4.1.8)
No auth needed
Prerequisites: Target running vulnerable SPIP version · Network access to the SPIP application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 67 stars
by nuts7 · remote
https://github.com/nuts7/CVE-2023-27372

This repository contains a functional exploit for CVE-2023-27372, an unauthenticated RCE vulnerability in SPIP < 4.2.1. The exploit leverages a PHP deserialization flaw in the password reset feature to inject arbitrary PHP code via the 'oubli' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1 (except patched versions 3.2.18, 4.0.10, 4.1.8, 4.2.1)
No auth needed
Prerequisites: Target running vulnerable SPIP version · Network access to the SPIP application
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2023-27372

This repository contains a functional exploit for CVE-2023-27372, a remote code execution vulnerability in SPIP < 4.2.1. The exploit leverages a deserialization flaw in the password reset functionality to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1
No auth needed
Prerequisites: Target URL or list of URLs · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by 0SPwn · remote
https://github.com/0SPwn/CVE-2023-27372-PoC

This repository contains a functional exploit for CVE-2023-27372, a deserialization flaw in SPIP's password reset feature. The exploit leverages improper input validation in the `protege_champ` function to achieve remote code execution via crafted serialized payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1
No auth needed
Prerequisites: Target must be running vulnerable SPIP version · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Ap0dexMe0 · poc
https://github.com/Ap0dexMe0/CVE-2023-27372

This repository contains a functional Python exploit for CVE-2023-27372, a remote code execution vulnerability in SPIP's 'oubli' parameter. The exploit automates the process of retrieving an anti-CSRF token and sending a crafted payload to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 3.2.18, < 4.0.10, < 4.1.18, < 4.2.1
No auth needed
Prerequisites: Python 3.7+ · requests library · bs4 library · colorama library · target URL list · command to execute
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ThatNotEasy · remote
https://github.com/ThatNotEasy/CVE-2023-27372

This repository contains a functional Python exploit for CVE-2023-27372, a remote code execution vulnerability in SPIP CMS. The exploit leverages the 'oubli' parameter to execute arbitrary commands without authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP CMS (versions below 3.2.18, 4.0.10, 4.1.18, and 4.2.1)
No auth needed
Prerequisites: Python 3.7+ · requests library · bs4 library · colorama library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by 1Ronkkeli · remote
https://github.com/1Ronkkeli/spip-cve-2023-27372-rce

This repository contains a functional Python exploit for CVE-2023-27372, an unauthenticated RCE vulnerability in SPIP CMS < 4.2.1. The exploit leverages a cache poisoning flaw in the password reset mechanism to upload a web shell via a crafted serialized payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP CMS < 4.2.1
No auth needed
Prerequisites: Python 3.x · requests library · beautifulsoup4 library · target running SPIP CMS < 4.2.1
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 2 stars
by izzz0 · client-side
https://github.com/izzz0/CVE-2023-27372-POC

This repository contains a Python script that checks for the presence of CVE-2023-27372 in SPIP installations by sending a crafted POST request and verifying the response for indicators of vulnerability. It supports both single URL and batch URL scanning via a text file.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1
No auth needed
Prerequisites: Access to the target SPIP instance · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by scriniariii · remote
https://github.com/scriniariii/CVE-2023-27372

The repository contains only a minimal README with no exploit code, technical details, or functional proof-of-concept. It is a placeholder with no substantive content.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Mar 07, 2026 Full analysis →
nomisec WORKING POC
by estebanzarate · remote
https://github.com/estebanzarate/CVE-2023-27372-SPIP-4.2.1-Unauthenticated-RCE-PoC

This repository contains a functional Python exploit for CVE-2023-27372, an unauthenticated RCE vulnerability in SPIP < 4.2.1. The exploit leverages PHP object injection via the `oubli` parameter in the password reset form, executing arbitrary commands and reflecting output in the response.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1
No auth needed
Prerequisites: Target must be running a vulnerable version of SPIP · Network access to the target's password reset endpoint
devstral-2 · analyzed Feb 24, 2026 Full analysis →
nomisec SCANNER
by KirolosKhairy · poc
https://github.com/KirolosKhairy/CVE-2023-27372

This repository contains a Docker-based lab environment for SPIP CMS and a Python-based scanner to safely verify the presence of CVE-2023-27372 without executing destructive actions. The scanner checks for the vulnerability via the password recovery endpoint (`spip.php?page=spip_pass`).

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP CMS < 4.2.1
No auth needed
Prerequisites: Docker · Docker Compose · Access to the target SPIP instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by G01d3nW01f · remote
https://github.com/G01d3nW01f/cve-2023-27372

This repository contains a functional Python exploit for CVE-2023-27372, targeting SPIP CMS. The exploit leverages a deserialization vulnerability in the password reset functionality to achieve remote code execution (RCE) by injecting malicious PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP CMS (version not specified)
No auth needed
Prerequisites: Target URL with SPIP CMS installed · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by dream434 · remote
https://github.com/dream434/CVE-2023-27372

The repository contains a functional Python script that exploits CVE-2023-27372, a remote code execution vulnerability in SPIP. The script automates the process of extracting a CSRF token and sending a crafted payload to execute arbitrary commands (e.g., 'whoami') on the target system.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP (version not specified)
No auth needed
Prerequisites: Python 3.x · requests library · BeautifulSoup library · target URL with vulnerable SPIP instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by 1amthebest1 · remote
https://github.com/1amthebest1/CVE-2023-27372

This repository contains a functional exploit for CVE-2023-27372, targeting SPIP versions before 4.2.1. The exploit leverages a deserialization vulnerability in the 'oubli' parameter to achieve remote code execution (RCE) by injecting a crafted PHP payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1
No auth needed
Prerequisites: Target must be running a vulnerable version of SPIP · Network access to the target application
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by redboltsec · remote
https://github.com/redboltsec/CVE-2023-27372-PoC

This repository contains a functional exploit for CVE-2023-27372, a deserialization vulnerability in SPIP's password reset feature. The PoC demonstrates RCE by crafting a malicious serialized payload and leveraging the flawed `protege_champ` function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP < 4.2.1
No auth needed
Prerequisites: Target must be running SPIP < 4.2.1 · Access to the password reset page (`spip.php?page=spip_pass`)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb STUB
remote
https://github.com/thatformat/Hvv2023

The repository contains only a README file with minimal content, stating that all POCs come from the internet, but no actual exploit code or technical details are provided.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unspecified
No auth needed
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by coiffeur, Laluka, Julien Voisin, Valentin Lobstein · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spip_rce_form.rb

This Metasploit module exploits a PHP code injection vulnerability in SPIP via the 'oubli' parameter, allowing unauthenticated RCE. It supports multiple targets including PHP in-memory, Unix/Linux, and Windows command shells.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP <3.2.18, <4.0.10, <4.1.18, <4.2.1
No auth needed
Prerequisites: SPIP instance with vulnerable version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SPIP - Remote Command Execution
CRITICALVERIFIEDby DhiyaneshDK,nuts7
Shodan: html:"spip.php?page=backend" || http.html:"spip.php?page=backend" || cpe:"cpe:2.3:a:spip:spip"
FOFA: body="spip.php?page=backend"

References (8)

Core 8

Scores

CVSS v3 9.8
EPSS 0.9312
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2023-05-03
CWE
CWE-502
Status published
Products (3)
debian/debian_linux 11.0
spip/spip 4.2.0 (3 CPE variants)
spip/spip < 3.2.18
Published Feb 28, 2023
Tracked Since Feb 18, 2026