Authenticated Remote Code Execution in SPIP Interface_traduction_objets Plugin
CVE-2026-27745

8.7HIGH

Key Information:

Vendor: Spip
Status: Interface Traduction Objets
Vendor: CVE Published:; 25 February 2026

Badges

👾 Exploit Exists

What is CVE-2026-27745?

The Interface_traduction_objets plugin for SPIP contains a vulnerability that allows authenticated attackers to execute arbitrary code via the translation interface. Specifically, the plugin fails to appropriately filter untrusted data rendered in a hidden form field, which can be manipulated by users with editor-level privileges. This design flaw permits crafted content to be evaluated within SPIP's template processing system, enabling remote code execution in the context of the web server. To mitigate this issue, users are advised to update to version 4.3.3 or later.

Affected Version(s)

interface_traduction_objets 0 < 2.2.2

References

https://chocapikk.com/posts/2026/spip-plugins-vulnerabili...

technical-descriptionexploit

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...

vendor-advisory

https://plugins.spip.net/interface_traduction_objets

product

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 25, 2026
👾
Exploit known to exist
Feb 25, 2026
Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Valentin Lobstein (Chocapikk)

VulnCheck

CVE-2026-27745 Data

JSON

Spip

Badges

What is CVE-2026-27745?

Affected Version(s)

References

CVSS V4

Timeline

Credit