PT-2026-21862 · Spip · Spip+1
Valentin Lobstein
+1
·
Published
2026-02-25
·
Updated
2026-02-25
·
CVE-2026-27747
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SPIP interface traduction objets plugin versions prior to 4.3.3
Description
The SPIP interface traduction objets plugin is susceptible to an authenticated SQL injection issue. The plugin does not properly validate input for the
id parent parameter when processing translation requests, specifically within the interface traduction objets pipelines.php file. This parameter is directly incorporated into a SQL query using the sql getfetsel() function without appropriate sanitization or parameterization. An attacker with editor-level privileges can inject malicious SQL code through the id parent parameter, potentially leading to database disclosure or modification, and potentially denial of service.Recommendations
Update the SPIP interface traduction objets plugin to version 4.3.3 or later.
Exploit
Fix
DoS
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spip
Interface Traduction Objets Plugin