CVE-2026-27472

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.9

Description SPIP versions before 4.4.9 contain a Blind Server-Side Request Forgery (SSRF) issue related to syndicated sites within the private area. The application does not validate the syndication URL when editing a syndicated site, potentially allowing an authenticated attacker to force the server to make requests to arbitrary internal or external locations. The SPIP security screen does not address this issue.

Recommendations Update to SPIP version 4.4.9 or later.