Authenticated Remote Code Execution in SPIP Interface_traduction_objets Plugin
CVE-2026-27745

8.7HIGH

Key Information:

Vendor

Spip

Status
Interface Traduction Objets
Vendor
CVE Published:
25 February 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-27745?

The Interface_traduction_objets plugin for SPIP contains a vulnerability that allows authenticated attackers to execute arbitrary code via the translation interface. Specifically, the plugin fails to appropriately filter untrusted data rendered in a hidden form field, which can be manipulated by users with editor-level privileges. This design flaw permits crafted content to be evaluated within SPIP's template processing system, enabling remote code execution in the context of the web server. To mitigate this issue, users are advised to update to version 4.3.3 or later.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

interface_traduction_objets 0 < 2.2.2

References

https://chocapikk.com/posts/2026/spip-plugins-vulnerabili...
technical-descriptionexploit
https://plugins.spip.net/interface_traduction_objets
product
https://git.spip.net/spip-contrib-extensions/interface_tr...
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
VulnCheck
JSON
.