Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
SPIP versions 4.4.10 and earlier allow attackers to execute SQL code on the server
CVE-2026-22206
Summary
Authenticated users with low privileges can potentially access and manipulate sensitive data, or even execute malicious code on your server. This can happen if you're running an outdated version of SPIP. Update to version 4.4.10 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| spip | spip | <= 4.4.10 | – |
Original title
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. ...
Original description
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-89
SQL Injection
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html Release Notes
- https://git.spip.net/spip/spip Product
- https://www.vulncheck.com/advisories/spip-sql-injection-rce-via-union-php-tags Third Party Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026