CVE-2026-27475

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.9

Description SPIP versions prior to 4.4.9 contain an Insecure Deserialization flaw. The issue is present in the handling of serialized data within the table valeur filter and the DATA iterator. An attacker who can place malicious serialized content may be able to trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. The SPIP security screen does not mitigate this issue.

Recommendations Update to SPIP version 4.4.9 or later.