threat
engine
.sh
Back
·
··:··
Home
/
Product
/
spip
Product
spip
75 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-33549
>= 4.4.10 and < 4.4.13
SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing o
6.7
MEDIUM
CVE-2026-22206
< 4.4.10
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbit
8.8
HIGH
CVE-2026-22205
< 4.4.10
SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticat
7.5
HIGH
CVE-2026-27747
< 2.2.2
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in inter
8.8
HIGH
CVE-2026-27746
< 4.1.1
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipel
6.1
MEDIUM
CVE-2026-27745
< 2.2.2
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability
8.8
HIGH
CVE-2026-27744
< 4.3.3
The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum previ
9.8
CRITICAL
CVE-2026-27743
< 1.3.0
The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_a
9.8
CRITICAL
CVE-2026-27475
>= 4.4.0 and < 4.4.9
SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which
8.1
HIGH
CVE-2026-27474
>= 4.4.0 and < 4.4.9
SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echa
6.1
MEDIUM
CVE-2026-27473
>= 4.4.0 and < 4.4.9
SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not
6.4
MEDIUM
CVE-2026-27472
>= 4.4.0 and < 4.4.9
SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndica
4.3
MEDIUM
CVE-2026-26345
>= 4.4.0 and < 4.4.8
SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usa
5.4
MEDIUM
CVE-2026-26223
>= 4.4.0 and < 4.4.8
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not proper
6.1
MEDIUM
CVE-2025-71244
>= 4.3.0 and < 4.3.9
SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious U
6.1
MEDIUM
CVE-2025-71243
>= 5.4.0 and < 5.11.1
The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (R
9.8
CRITICAL
CVE-2025-71242
>= 4.1.0 and < 4.1.20
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properl
6.5
MEDIUM
CVE-2025-71241
>= 4.1.0 and < 4.1.20
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message disp
6.1
MEDIUM
CVE-2025-71240
>= 4.2.0 and < 4.2.15
SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly veri
5.4
MEDIUM
CVE-2023-53900
all versions
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links.
8.8
HIGH
CVE-2024-53620
all versions
A cross-site scripting (XSS) vulnerability in the Article module of SPIP v4.3.3 allows authenticated attackers to execute arbitrar
4.8
MEDIUM
CVE-2024-53619
all versions
An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary
6.3
MEDIUM
CVE-2024-8517
>= 4.0.0 and < 4.1.18
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can exec
9.8
CRITICAL
CVE-2024-23659
< 4.1.14
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and
6.1
MEDIUM
CVE-2023-52322
< 4.1.13
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricte
6.1
MEDIUM
CVE-2023-27372
< 3.2.18
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed v
9.8
CRITICAL
CVE-2023-24258
<= 4.1.5
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows
9.8
CRITICAL
CVE-2022-37155
>= 3.1.13 and <= 4.1.2
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
8.8
HIGH
CVE-2022-28961
<= 3.1.13
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad
8.8
HIGH
CVE-2022-28960
< 3.2.8
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecr
8.8
HIGH
CVE-2022-28959
<= 3.1.13
Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows atta
6.1
MEDIUM
CVE-2022-26847
< 3.2.14
SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.
5.3
MEDIUM
CVE-2022-26846
< 3.2.14
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
8.8
HIGH
CVE-2021-44123
all versions
SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicio
8.8
HIGH
CVE-2021-44122
all versions
SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.
8.8
HIGH
CVE-2021-44120
all versions
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml
5.4
MEDIUM
CVE-2021-44118
all versions
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a mal
5.4
MEDIUM
CVE-2020-28984
< 3.2.8
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigat
9.8
CRITICAL
CVE-2019-19830
>= 3.2.0 and < 3.2.7
_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.
6.5
MEDIUM
CVE-2019-16394
< 3.1.11
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an
5.3
MEDIUM
CVE-2019-16393
< 3.1.11
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
6.1
MEDIUM
CVE-2019-16392
< 3.1.11
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
6.1
MEDIUM
CVE-2019-16391
< 3.1.11
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modificati
6.5
MEDIUM
CVE-2019-11071
>= 3.1.0 and < 3.1.10
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var
8.8
HIGH
CVE-2017-15736
<= 3.1.6
Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or H
6.1
MEDIUM
CVE-2017-9736
all versions
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attack
9.8
CRITICAL
CVE-2016-7999
<= 3.1.2
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attack
7.4
HIGH
CVE-2016-7998
<= 3.1.2
The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by u
8.8
HIGH
CVE-2016-7982
<= 3.1.2
Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate th
7.5
HIGH
CVE-2016-7981
<= 3.1.2
Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary
6.1
MEDIUM
CVE-2016-7980
<= 3.1.2
Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers t
8.8
HIGH
CVE-2016-9998
all versions
SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the
$plugin
para
6.1
MEDIUM
CVE-2016-9997
all versions
SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the
$id
paramet
6.1
MEDIUM
CVE-2016-9152
all versions
Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web
6.1
MEDIUM
CVE-2016-3154
all versions
The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.
9.8
CRITICAL
CVE-2016-3153
all versions
SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by addin
9.8
CRITICAL
CVE-2013-7303
<= 2.1.24
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_
CVE-2013-4557
all versions
The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote
CVE-2013-4556
<= 2.1.23
Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x
CVE-2013-4555
<= 2.1.23
Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijac
CVE-2013-2118
all versions
SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editori
CVE-2012-4331
all versions
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and
CVE-2012-2151
all versions
Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 all
CVE-2009-3041
all versions
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/i
CVE-2008-5813
all versions
SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote
CVE-2008-5812
all versions
Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and at
CVE-2007-4525
all versions
PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via
CVE-2006-1702
all versions
PHP remote file inclusion vulnerability in spip_login.php3 in SPIP 1.8.3 allows remote attackers to execute arbitrary PHP code via
CVE-2006-1295
all versions
Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script
CVE-2006-0626
all versions
SQL injection vulnerability in spip_acces_doc.php3 in SPIP 1.8.2g and earlier allows remote attackers to execute arbitrary SQL com
CVE-2006-0625
all versions
Directory traversal vulnerability in Spip_RSS.PHP in SPIP 1.8.2g and earlier allows remote attackers to read or include arbitrary
CVE-2006-0519
<= 1.8.2e
SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct r
CVE-2006-0518
<= 1.8.2e
Cross-site scripting (XSS) vulnerability in index.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remot
CVE-2006-0517
<= 1.8.2e
Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539)
CVE-2005-4494
all versions
Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin