CVE-2026-27475

HighPublic PoC

Published: 19 February 2026

Published

19 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger…

arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the insecure deserialization vulnerability by requiring timely remediation through patching to SPIP 4.4.9, which deprecates unsafe serialized data processing.

SI-10 Information Input Validation good match

prevent

Prevents arbitrary object instantiation and code execution by validating all incoming serialized data processed by the table_valeur filter and DATA iterator.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Detects and prevents execution of malicious code potentially instantiated via deserialization through runtime integrity monitoring of software and data.

Security SummaryAI

CVE-2026-27475 is an insecure deserialization vulnerability (CWE-502) affecting SPIP versions prior to 4.4.9. It occurs in the public area of the software through the table_valeur filter and the DATA iterator, both of which accept serialized data. This flaw allows arbitrary object instantiation when malicious serialized content is processed, potentially leading to code execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker (PR:N) can exploit this remotely (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H) due to the precondition of placing malicious serialized content on the target, which necessitates prior access or exploitation of another vulnerability. Successful deserialization triggers arbitrary object instantiation, enabling potential remote code execution with high impacts on confidentiality, integrity, and availability.

Advisories recommend updating to SPIP 4.4.9, which addresses the issue by deprecating the use of serialized data in these components; this functionality will be fully removed in SPIP 5. The SPIP security screen does not mitigate this vulnerability. Relevant resources include the official SPIP security update announcement, the SPIP Git repository, and the VulnCheck advisory.

Details

CWE(s): CWE-502

Affected Products

spip

4.4.0 — 4.4.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-27475 is an insecure deserialization vulnerability in a public-facing web application (SPIP CMS) exploitable remotely by unauthenticated attackers, directly mapping to T1190: Exploit Public-Facing Application, as it allows arbitrary object instantiation leading to potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html
Vendor Advisory, Release Notes · disclosure@vulncheck.com
https://git.spip.net/spip/spip
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/spip-insecure-deserialization
Third Party Advisory · disclosure@vulncheck.com