CVE-2026-27745

Name of the Vulnerable Software and Affected Versions SPIP interface traduction objets plugin versions prior to 2.2.2 SPIP interface traduction objets plugin versions 2.2.2 through 4.3.3

Description The SPIP interface traduction objets plugin contains an authenticated remote code execution issue in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Fields prefixed with an underscore bypass protection mechanisms, and the hidden content is rendered with filtering disabled. This allows an authenticated attacker with editor-level privileges to inject crafted content that is evaluated through SPIP's template processing chain, resulting in code execution in the context of the web server.

Recommendations Update the SPIP interface traduction objets plugin to version 2.2.2 or later. Update the SPIP interface traduction objets plugin to version 4.3.3 or later.