Dismissed
Permalink
CVE-2026-27472
4.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
4 packages
- spip
- spiped
- aespipe
- lesspipe
- @LeSuisse dismissed
SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites
SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.
References
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html vendor-advisory patch
- https://git.spip.net/spip/spip product
- VulnCheck Advisory: SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites third-party-advisory
Affected products
SPIP
- <4.4.9
Ignored packages (4)
pkgs.spip
A random forest model for splice prediction in genomics
-
nixos-unstable 0-unstable-2023-04-19
- nixpkgs-unstable 0-unstable-2023-04-19
- nixos-unstable-small 0-unstable-2023-04-19
-
nixos-25.11 0-unstable-2023-04-19
- nixos-25.11-small 0-unstable-2023-04-19
- nixpkgs-25.11-darwin 0-unstable-2023-04-19
pkgs.spiped
Utility for secure encrypted channels between sockets
pkgs.aespipe
AES encrypting or decrypting pipe