Shodan
Vulnerabilities
Vulnerable Software
Spip:  >> Spip  >> 3.1.15  Security Vulnerabilities
CVE-2026-22205
SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.
CVSS Score
8.7
EPSS Score
0.004
Published
2026-02-26
CVE-2026-22206
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
CVSS Score
8.7
EPSS Score
0.002
Published
2026-02-26
CVE-2024-23659
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.
CVSS Score
6.1
EPSS Score
0.009
Published
2024-01-19
CVE-2023-52322
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-01-04
CVE-2023-27372
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
CVSS Score
9.8
EPSS Score
0.931
Published
2023-02-28
CVE-2023-24258
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.
CVSS Score
9.8
EPSS Score
0.028
Published
2023-02-27
CVE-2022-37155
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
CVSS Score
8.8
EPSS Score
0.078
Published
2022-12-14
CVE-2022-28960
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.
CVSS Score
8.8
EPSS Score
0.007
Published
2022-05-19
CVE-2022-26847
SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.
CVSS Score
5.3
EPSS Score
0.004
Published
2022-03-10
CVE-2022-26846
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
CVSS Score
8.8
EPSS Score
0.058
Published
2022-03-10


Products
Pricing
Contact Us

Shodan ® - All rights reserved