Cyber Posture

CVE-2026-27743

CriticalPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without…

more

input validation or parameterization. The endpoints do not enforce authorization checks and do not use SPIP action protections such as securiser_action(), allowing remote attackers to execute arbitrary SQL queries.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the unauthenticated SQL injection by requiring validation of the url parameter before interpolation into SQL LIKE clauses.

AC-3 Access Enforcement good match
prevent

Enforces authorization checks missing in the referer_spam_ajouter and referer_spam_supprimer handlers, blocking unauthenticated access to vulnerable endpoints.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the flaw through patching to referer_spam version 1.3.0 or later, addressing the lack of input sanitization and protections.

Security SummaryAI

CVE-2026-27743 is an unauthenticated SQL injection vulnerability (CWE-89) affecting the referer_spam plugin for the SPIP content management system in versions prior to 1.3.0. The issue resides in the referer_spam_ajouter and referer_spam_supprimer action handlers, which process a url parameter from GET requests and directly interpolate it into SQL LIKE clauses without input validation, parameterization, or authorization checks such as SPIP's securiser_action(). This flaw, published on 2026-02-25, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete database compromise.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting malicious GET requests to the affected endpoints, attackers can execute arbitrary SQL queries, enabling data exfiltration, modification, or deletion within the SPIP database, as well as potential privilege escalation or denial of service.

Advisories and patches, including the SPIP security update announcement for version 4.4.10, a fix commit in the referer_spam plugin repository (33682df73cd5f7e9c72d8c4d5088611fa2441683), and analyses from VulnCheck and Chocapikk, recommend immediate upgrade to referer_spam version 1.3.0 or later to address the lack of input sanitization and authorization. The plugin page on plugins.spip.net provides details on the updated release.

Details

CWE(s)
CWE-89

Affected Products

spip
referer spam
≤ 1.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Unauthenticated SQL injection in public-facing SPIP plugin directly enables T1190 (exploit public-facing application). Allows arbitrary SQL for data exfiltration (T1213.006: databases) and modification/deletion (T1565.001: stored data manipulation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References