Primary

Context

SPIP Blind Server-Side Request Forgery Vulnerability

Vulnerability

Patched

A blind server-side request forgery (SSRF) vulnerability has been identified in SPIP versions prior to 4.4.9. This vulnerability exists in the private area when managing syndicated sites. The application fails to validate whether the syndication URL is a legitimate remote URL, enabling authenticated attackers to make the server send requests to arbitrary internal or external locations. Notably, this issue is not addressed by SPIP's security screen.

Impact

Exploitation of this vulnerability allows for blind server-side request forgery, where an authenticated attacker can make the server perform requests to external or internal resources, potentially leading to further exploitation or information disclosure.

Remediation

Users can update to SPIP version 4.4.9, which addresses this vulnerability. Instructions for updating are available on the SPIP website.

Added: Feb 19, 2026, 6:33 PM

Updated: Feb 19, 2026, 6:33 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.4

exploitability

5.5

remediation

7.7

relevance

3.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.4

exploitability

5.5

remediation

7.7

relevance

3.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SPIP Blind Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

SPIP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating