VYPR

Spip

by Spip

Source repositories

CVEs (78)

  • CVE-2024-7954CriAug 23, 2024
    risk 0.74cvss 9.8epss 0.90

    The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

  • CVE-2017-9736CriJun 17, 2017
    risk 0.64cvss 9.8epss 0.03

    SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

  • CVE-2016-3154CriApr 8, 2016
    risk 0.64cvss 9.8epss 0.02

    The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.

  • CVE-2016-3153CriApr 8, 2016
    risk 0.64cvss 9.8epss 0.02

    SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.

  • CVE-2016-7998HigJan 18, 2017
    risk 0.61cvss 8.8epss 0.14

    The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.

  • CVE-2016-7980HigJan 18, 2017
    risk 0.61cvss 8.8epss 0.04

    Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE:…

  • CVE-2026-8429HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.01

    SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security…

  • CVE-2023-53900HigDec 16, 2025
    risk 0.57cvss 8.8epss 0.00

    Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload…

  • CVE-2026-8430HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through…

  • CVE-2016-7982HigJan 18, 2017
    risk 0.53cvss 7.5epss 0.21

    Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action.

  • CVE-2016-7999HigJan 18, 2017
    risk 0.48cvss 7.4epss 0.02

    ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.

  • CVE-2026-33549MedMar 22, 2026
    risk 0.44cvss 6.7epss 0.00

    SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.

  • CVE-2017-15736MedOct 22, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php.

  • CVE-2016-7981MedJan 18, 2017
    risk 0.40cvss 6.1epss 0.08

    Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.

  • CVE-2016-9998MedDec 17, 2016
    risk 0.40cvss 6.1epss 0.01

    SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL.

  • CVE-2016-9997MedDec 17, 2016
    risk 0.40cvss 6.1epss 0.01

    SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL.

  • CVE-2016-9152MedDec 5, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the rac parameter.

  • CVE-2026-48832LowMay 24, 2026
    risk 0.23cvss 3.5epss 0.00

    action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability.

  • CVE-2024-8517Sep 6, 2024
    risk 0.10cvss epss 0.95

    SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

  • CVE-2023-27372Feb 28, 2023
    risk 0.10cvss epss 1.00

    SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Page 1 of 4