Primary

Context

SPIP Insecure Deserialization Vulnerability Allowing Potential Code Execution

Vulnerability

Patched

A vulnerability allowing insecure deserialization has been identified in SPIP versions prior to 4.4.9. This issue arises in the public area through the table_valeur filter and the DATA iterator, both of which accept serialized data. An attacker with the ability to inject malicious serialized content—requiring either prior access or another vulnerability—could exploit this flaw to trigger arbitrary object instantiation and potentially execute code. The use of serialized data in these components has been deprecated and is set to be removed in SPIP 5. Notably, this vulnerability is not addressed by the SPIP security screen.

Impact

Exploitation of this vulnerability could lead to arbitrary object instantiation and potentially allow for code execution on the server.

Remediation

Users can update to SPIP version 4.4.9 to address this vulnerability.

Added: Feb 19, 2026, 6:31 PM

Updated: Feb 19, 2026, 6:31 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

5.5

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

5.5

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SPIP Insecure Deserialization Vulnerability Allowing Potential Code Execution

Vulnerability

Impact

Remediation

Affected Products

SPIP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating