Blind Server-Side Request Forgery in SPIP Affected by Vulnerability
CVE-2026-27472

5.3MEDIUM

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 19 February 2026

What is CVE-2026-27472?

SPIP prior to version 4.4.9 is susceptible to a blind server-side request forgery (SSRF) vulnerability due to improper validation of syndication URLs in the private area. This flaw enables authenticated attackers to send requests from the server to unauthorized internal or external destinations when managing syndicated sites. The existing security measures within SPIP do not effectively mitigate this issue, posing a significant risk to the integrity and confidentiality of server resources.

Affected Version(s)

SPIP 4.4.0 < 4.4.9

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...

vendor-advisorypatch

https://git.spip.net/spip/spip

product

https://www.vulncheck.com/advisories/spip-blind-server-si...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 19, 2026

Credit

Dorian Piette (Trachinus)

CVE-2026-27472 Data

JSON

Spip

What is CVE-2026-27472?

Affected Version(s)

References

CVSS V4

Timeline

Credit