Home

Description

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.

PUBLISHED Reserved 2026-05-12 | Published 2026-05-12 | Updated 2026-05-14 | Assigner VulnCheck




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

Any version before 4.4.14
affected

Credits

Louka Jacques-Chevallier / Laluka,Baptiste Rolando / p4st1s, Arthur Deloffre / Vozec), jvoisin finder

References

blog.spip.net/ vendor-advisory

www.vulncheck.com/...rior-to-remote-code-execution-via-nginx third-party-advisory

cve.org (CVE-2026-8430)

nvd.nist.gov (CVE-2026-8430)

Download JSON