Description
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://blog.spip.net/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/spip-prior-to-remote-code-execution-via-nginx
Scores
CVSS v3
8.1
EPSS
0.0043
EPSS Percentile
34.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
SPIP/SPIP
< 4.4.14
Published
May 12, 2026
Tracked Since
May 13, 2026