Authenticated SQL Injection Vulnerability in SPIP Plugin
CVE-2026-27747
7.1HIGH
What is CVE-2026-27747?
The interface_traduction_objets plugin for SPIP, versions prior to 4.3.3, contains an SQL injection vulnerability that could allow authenticated attackers to exploit the id_parent parameter. This vulnerability occurs as the plugin directly concatenates user-supplied input into SQL queries without adequate input validation or parameterization. An attacker with editor-level privileges could potentially manipulate backend database queries, leading to unauthorized data disclosure or modification, and may even trigger a denial of service, depending on the database configuration.
Affected Version(s)
interface_traduction_objets 0 < 2.2.2
References
CVSS V4
Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Credit
Valentin Lobstein (Chocapikk)
VulnCheck