SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
PUBLISHED5.2CWE-94
SPIP < 4.4.14 Remote Code Execution via Private Space
Problem type
Affected products
SPIP
SPIP
< 4.4.14 - AFFECTED
References
blog.spip.net
https://blog.spip.net/
vulncheck.com
https://www.vulncheck.com/advisories/spip-prior-to-remote-code-execution-via-private-space
GitHub Security Advisories
GHSA-pgpj-4fv5-cq78
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space...
https://github.com/advisories/GHSA-pgpj-4fv5-cq78SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-8429Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-8429",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-05-12T19:41:52.664Z",
"dateReserved": "2026-05-12T18:07:12.595Z",
"datePublished": "2026-05-12T18:32:17.431Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-05-12T19:41:52.664Z"
},
"datePublic": "2026-05-12T19:00:00.000Z",
"title": "SPIP < 4.4.14 Remote Code Execution via Private Space",
"descriptions": [
{
"lang": "en",
"value": "SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "<p>SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.</p>"
}
]
}
],
"affected": [
{
"vendor": "SPIP",
"product": "SPIP",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "4.4.14"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-94 Improper Control of Generation of Code ('Code Injection')",
"cweId": "CWE-94",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://blog.spip.net/",
"tags": [
"vendor-advisory"
]
},
{
"url": "https://www.vulncheck.com/advisories/spip-prior-to-remote-code-execution-via-private-space",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
}
},
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Louka Jacques-Chevallier",
"type": "finder"
}
]
}
}
}