CVE-2026-48832

Vulnerability

The action/cookie.php script in the ecrire directory of SPIP contains an open redirect vulnerability. The url_echec parameter, which was dead code unused since 2008, was not properly validated and could be used to redirect users to arbitrary external URLs [2]. This affects all versions of SPIP before 4.4.15 [1][3]. The vulnerability is present in the cookie handling action, which is reachable without authentication.

Exploitation

An attacker can craft a URL such as https://target.tld/spip.php?action=cookie&url_echec=http://evil.com and trick a user into clicking it. When the user visits the link, the SPIP site processes the cookie action and redirects the user to the attacker-controlled external URL. No authentication or special privileges are required; only user interaction (clicking the link) is needed.

Impact

Successful exploitation allows an attacker to redirect users from the legitimate SPIP site to an arbitrary external website. This can be used for phishing attacks, where the attacker mimics the login page or other trusted content, or to distribute malware. The trust associated with the SPIP domain is abused to deceive users.

Mitigation

The vulnerability is fixed in SPIP version 4.4.15, released on 2026-05-22 [1][3]. Users should upgrade to this version immediately. The fix removes the url_echec parameter entirely [2]. No workarounds are provided. The SPIP project recommends using the spip_loader to update [1].