ctipilot.ch

CERTFR-2026-AVI-0564

campaign · campaign:certfr-2026-avi-0564

CERTFR-2026-AVI-0564 — SPIP < 4.4.14 multiple RCEs (public + private area)

Coverage timeline
1
first 2026-05-13 → last 2026-05-13
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-13CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)
    trending-vulnerabilitiesCERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • blog.spip.net1 (50%)
  • cert.ssi.gouv.fr1 (50%)

Entries about CERTFR-2026-AVI-0564 (1)

2026-05-13 · view entry permalink →

CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)

notable vulnerability discovered 2026-05-13 05:00 UTC

CERT-FR's advisory CERTFR-2026-AVI-0564 (2026-05-12) covers multiple remote code execution flaws in SPIP — the open-source CMS that powers a substantial share of French ministry, université and francophone Swiss canton web sites (CERT-FR CERTFR-2026-AVI-0564, 2026-05-12; SPIP security bulletin, 2026-05-12). The SPIP bulletin describes two distinct RCE paths in versions prior to 4.4.14: one in the private (authenticated) area, and one in the public (unauthenticated) area "under specific nginx configurations" — the SPIP bulletin notes the bugs are "not covered by the security screen", meaning they bypass SPIP's built-in filter layer. No CVE identifiers are assigned in the vendor bulletin. Fixed in SPIP 4.4.14. No ITW reported. Detection concepts: monitor SPIP ecrire/ and front-end access logs for the SSTI / template-load gadget patterns the bulletin enumerates; on shared-host SPIP estates, audit the nginx reverse-proxy configuration for the unsafe location pattern. Hardening: upgrade to 4.4.14; on internet-facing SPIP, gate ecrire/ to a known admin source set at the reverse proxy.

vulnerabilities rce patch-available europe