|
VCID-16ur-bz47-tbhf
|
SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.
|
CVE-2026-26345
|
|
VCID-177n-axem-mqcx
|
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.
|
CVE-2016-7999
|
|
VCID-1rpa-1a47-4kdh
|
SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
|
CVE-2026-27473
|
|
VCID-1sh3-vsjk-3fhr
|
The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.
|
CVE-2016-7998
|
|
VCID-2dud-ys3n-aqeq
|
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.
|
CVE-2025-71242
|
|
VCID-2vt3-2dn9-qud9
|
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
|
CVE-2026-8429
|
|
VCID-3kzh-snzg-aqbu
|
privilege escalation
|
CVE-2013-2118
|
|
VCID-4cyj-m5c1-sffs
|
security update
|
CVE-2021-44123
|
|
VCID-4ef7-72x9-yuf7
|
Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3; (4) unspecified vectors related to "session handling"; and (5) when posting "petitions".
|
CVE-2006-0517
|
|
VCID-4kcw-9mqg-7kd5
|
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.
|
CVE-2012-4331
|
|
VCID-4pjp-c9f8-zkcj
|
security update
|
CVE-2021-44122
|
|
VCID-5trm-3pyt-nqdq
|
security update
|
CVE-2016-3154
|
|
VCID-63dn-uysy-5qd7
|
SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
|
CVE-2025-71244
|
|
VCID-7vzq-9sk8-3fc4
|
SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.
|
CVE-2026-33549
|
|
VCID-83k3-y2y7-t3dn
|
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.
|
CVE-2026-8430
|
|
VCID-88hp-dkae-1khj
|
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
|
CVE-2025-71241
|
|
VCID-9b5s-65zy-nbaj
|
Cross-site scripting (XSS) vulnerability in index.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
|
CVE-2006-0518
|
|
VCID-9f84-njwz-wbhn
|
Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
|
CVE-2016-7981
|
|
VCID-9knz-pzs2-e7b6
|
SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL.
|
CVE-2016-9997
|
|
VCID-9mda-dqpt-53bw
|
Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
CVE-2012-2151
|
|
VCID-a9mb-na1j-6ue1
|
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
|
CVE-2024-8517
|
|
VCID-acnd-dq6t-p7hp
|
several
|
CVE-2013-4556
|
|
VCID-ar32-qe18-zbf9
|
PHP remote file inclusion vulnerability in spip_login.php3 in SPIP 1.8.3 allows remote attackers to execute arbitrary PHP code via a URL in the url parameter.
|
CVE-2006-1702
|
|
VCID-au53-rjar-yqdz
|
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
|
CVE-2026-22206
|
|
VCID-avqa-5y3h-tucy
|
Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter.
|
CVE-2006-1295
|
|
VCID-ay1d-afp2-eqav
|
security update
|
CVE-2022-28961
|
|
VCID-b5c3-q4pz-xbb4
|
PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers, stating that the squelette_cache variable is initialized before use, and is only used within the scope of a function
|
CVE-2007-4525
|
|
VCID-bcnb-dkx4-2uhg
|
Directory traversal vulnerability in Spip_RSS.PHP in SPIP 1.8.2g and earlier allows remote attackers to read or include arbitrary files via ".." sequences in the GLOBALS[type_urls] parameter, which could then be used to execute arbitrary code via resultant direct static code injection in the file parameter to spip_acces_doc.php3.
|
CVE-2006-0625
|
|
VCID-bmyj-qx4h-wufn
|
Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors.
|
CVE-2008-5812
|
|
VCID-bzfg-y6zs-sfcx
|
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
|
CVE-2009-3041
|
|
VCID-cdav-79pa-7kfd
|
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.
|
CVE-2024-23659
|
|
VCID-dk7m-szs5-uudf
|
security update
|
CVE-2016-3153
|
|
VCID-dtmg-hmnn-5faq
|
security update
|
CVE-2017-9736
|
|
VCID-e857-2smc-2qhu
|
security update
|
CVE-2023-24258
|
|
VCID-egjb-jqsf-57ec
|
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.
|
CVE-2013-7303
|
|
VCID-ercn-u1ez-7kgu
|
security update
|
CVE-2019-16391
|
|
VCID-f8jh-sgsn-mqgr
|
action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability.
|
CVE-2026-48832
|
|
VCID-fnc6-wbe2-g3an
|
security update
|
CVE-2022-26847
|
|
VCID-gffw-8mya-xyhb
|
SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
|
CVE-2025-71240
|
|
VCID-h1cb-yt3w-1kb2
|
security update
|
CVE-2022-26846
|
|
VCID-h3ka-ancw-pfbv
|
SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL.
|
CVE-2016-9998
|
|
VCID-hcqm-dw7s-v7cc
|
SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.
|
CVE-2026-27472
|
|
VCID-hycc-4wn7-tyd5
|
several
|
CVE-2013-4555
|
|
VCID-jqtf-79uf-nfd8
|
security update
|
CVE-2022-28959
|
|
VCID-kaqv-5pbz-4yg1
|
SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message.
|
CVE-2006-0519
|
|
VCID-kb8u-axhu-2uc6
|
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.
|
CVE-2023-52322
|
|
VCID-kufx-hnax-77hg
|
SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.
|
CVE-2026-27474
|
|
VCID-m3k8-b4td-pqbg
|
Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.
|
CVE-2016-7980
|
|
VCID-mfx4-kyu5-97a3
|
security update
|
CVE-2019-16392
|
|
VCID-msbb-rq4c-yqem
|
Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) spip_login.php3 and (2) spip_pass.php3.
|
CVE-2005-4494
|
|
VCID-mvum-k8t7-juad
|
security update
|
CVE-2019-16393
|
|
VCID-mxd8-s8jm-37gk
|
SQL injection vulnerability in spip_acces_doc.php3 in SPIP 1.8.2g and earlier allows remote attackers to execute arbitrary SQL commands via the file parameter.
|
CVE-2006-0626
|
|
VCID-my6b-jg35-rbhu
|
security update
|
CVE-2019-16394
|
|
VCID-p199-bctb-zkev
|
security update
|
CVE-2021-44118
|
|
VCID-p6jj-w23v-kug7
|
security update
|
CVE-2020-28984
|
|
VCID-ph56-1gev-dua2
|
security update
|
CVE-2019-11071
|
|
VCID-qbcv-7zaj-u7hw
|
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
|
CVE-2026-26223
|
|
VCID-qx1z-xg58-nych
|
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
|
CVE-2024-7954
|
|
VCID-read-tjsj-z7hq
|
security update
|
CVE-2017-15736
|
|
VCID-spzj-ftrv-kkdq
|
security update
|
CVE-2022-37155
|
|
VCID-tj67-v546-6baw
|
Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action.
|
CVE-2016-7982
|
|
VCID-tyxs-va7p-9qbp
|
security update
|
CVE-2021-44120
|
|
VCID-v7f1-2tph-eud8
|
several
|
CVE-2013-4557
|
|
VCID-vse7-46dj-y3gu
|
Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the rac parameter.
|
CVE-2016-9152
|
|
VCID-vtuw-zz4n-tked
|
security update
|
CVE-2023-27372
|
|
VCID-weh9-f7zx-9bds
|
SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information.
|
CVE-2008-5813
|
|
VCID-x3j5-hrmx-tqhm
|
security update
|
CVE-2019-19830
|
|
VCID-y5fn-h6jt-b7b9
|
security update
|
CVE-2022-28960
|
|
VCID-ybb8-uf41-uyg8
|
SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.
|
CVE-2026-27475
|
|
VCID-zu4w-61q8-1uaz
|
SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.
|
CVE-2026-22205
|