CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)

CERT-FR's advisory CERTFR-2026-AVI-0564 (2026-05-12) covers multiple remote code execution flaws in SPIP — the open-source CMS that powers a substantial share of French ministry, université and francophone Swiss canton web sites (CERT-FR CERTFR-2026-AVI-0564, 2026-05-12; SPIP security bulletin, 2026-05-12). The SPIP bulletin describes two distinct RCE paths in versions prior to 4.4.14: one in the private (authenticated) area, and one in the public (unauthenticated) area "under specific nginx configurations" — the SPIP bulletin notes the bugs are "not covered by the security screen", meaning they bypass SPIP's built-in filter layer. No CVE identifiers are assigned in the vendor bulletin. Fixed in SPIP 4.4.14. No ITW reported. Detection concepts: monitor SPIP ecrire/ and front-end access logs for the SSTI / template-load gadget patterns the bulletin enumerates; on shared-host SPIP estates, audit the nginx reverse-proxy configuration for the unsafe location pattern. Hardening: upgrade to 4.4.14; on internet-facing SPIP, gate ecrire/ to a known admin source set at the reverse proxy.