CVE-2026-27747
HIGHSPIP interface_traduction_objets <4.3.3 - SQL Injection
Title source: llmDescription
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query. Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges.
References (5)
Core 5
Core References
Various Sources technical-description
exploit
https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/
Various Sources vendor-advisory
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
Various Sources product
https://plugins.spip.net/interface_traduction_objets
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/spip-interface-traduction-objets-authenticated-sql-injection
Scores
CVSS v3
8.8
EPSS
0.0038
EPSS Percentile
29.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
spip/interface_traduction_objets
< 2.2.2
Published
Feb 25, 2026
Tracked Since
Feb 25, 2026