CVE-2026-27475HIGH 8.1EPSS p51.0%

CVE-2026-27475CVE-2026-27475

Description

SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.78% probability of exploitation · percentile 51.0% · 2026-06-19T12:03:05Z
Published2026-02-19
Last modified2026-02-24

Underlying weaknesses· 1

CWE-502

References

  1. https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html
  2. https://git.spip.net/spip/spip
  3. https://www.vulncheck.com/advisories/spip-insecure-deserialization

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27745
CVE
CVE-2026-8429
CVE
CVE-2026-22206
CVE
CVE-2026-27747
CVE
CVE-2025-71243
CVE
CVE-2026-27743
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.