CVE-2026-27745

CVE-2026-27745 is an authenticated remote code execution vulnerability (CWE-94) in the SPIP interface_traduction_objets plugin for versions prior to 2.2.2. The issue resides in the translation interface workflow, where the plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Fields prefixed with an underscore bypass SPIP's protection mechanisms, and the hidden content is processed with filtering disabled, enabling injected content to be evaluated through SPIP's template processing chain and resulting in code execution within the web server context. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker possessing editor-level privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting crafted content via untrusted request data, the attacker tricks the plugin into rendering malicious payloads in the hidden form field, leading to arbitrary code execution on the server. This grants high-impact confidentiality, integrity, and availability effects, potentially allowing full server compromise, data exfiltration, or further lateral movement within the environment.

Advisories and patch notes emphasize updating the interface_traduction_objets plugin to version 2.2.2 or later to mitigate the vulnerability. Key resources include the SPIP security update blog post announcing related fixes, a detailed analysis of SPIP plugin vulnerabilities, the specific patching commit in the plugin's Git repository, the official plugin page, and VulnCheck's advisory on the authenticated RCE.