CVE-2026-27472

low-risk

Published 2026-02-19

SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Spip

Affected Vendors

Spip

References (3)

Vendor Advisory https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html

Product https://git.spip.net/spip/spip

Third Party Advisory https://www.vulncheck.com/advisories/spip-blind-server-side-request-forgery-via-...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal