CVE-2022-26846

moderate-risk
Published 2022-03-10

SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.

Do I need to act?

~
5.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Debian Spip

References (8)

Release Notes https://blog.spip.net/Mise-a-jour-critique-de-securite-sorties-de-SPIP-4-0-5-et-...
Patch https://git.spip.net/spip/medias/commit/3014b845da2dd8ad15ff04b50fd9dbba388a9ca2
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00020.html
Mailing List https://lists.debian.org/debian-security-announce/2022/msg00060.html
Release Notes https://blog.spip.net/Mise-a-jour-critique-de-securite-sorties-de-SPIP-4-0-5-et-...
Patch https://git.spip.net/spip/medias/commit/3014b845da2dd8ad15ff04b50fd9dbba388a9ca2
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00020.html
Mailing List https://lists.debian.org/debian-security-announce/2022/msg00060.html
49
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 9/34 · Low
Exposure 10/34 · Low