ctipilot.ch

SPIP 2026 RCE wave

trend · trend:spip-2026-rce-wave

Successive 2026 SPIP CMS security releases tracked by CERT-FR: multiple RCEs in versions before 4.4.14 (CERTFR-2026-AVI-0564) followed by a security-policy bypass fixed in 4.4.15 (CERTFR-2026-AVI-0635). SPIP is the dominant French public-administration CMS with wide EU/CH Francophone government deployment.

Aliases: CERTFR-2026-AVI-0564, CERTFR-2026-AVI-0635

Coverage timeline
3
first 2026-05-13 → last 2026-05-23
Peak priority
notable
3 notable
Sources cited
5
3 hosts
Sections touched
3
active-threats, trending-vulnerabilities, weekly-sector-patterns
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-23ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS
    active-threats
  2. 2026-05-18Public administration — web-CMS and identity estate under multi-vector pressure
    weekly-sector-patterns
  3. 2026-05-13CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1
  • weekly-sector-patterns1
  • active-threats1

Source distribution

  • blog.spip.net2 (40%)
  • cert.ssi.gouv.fr2 (40%)
  • krebsonsecurity.com1 (20%)

Related entities

Entries about SPIP 2026 RCE wave (3)

2026-05-23 · view entry permalink →

NOTABLE

ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS

ANSSI / CERT-FR issued CERTFR-2026-AVI-0635 on 2026-05-22 covering a security-policy bypass vulnerability in SPIP (Système de Publication pour l'Internet) versions prior to 4.4.15; SPIP 4.4.15 was released the same day (SPIP blog, 2026-05-22). The advisory quotes the issue in CERT-FR's standard French: "Une vulnérabilité a été découverte dans SPIP. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité. SPIP versions antérieures à 4.4.15 sont affectées." (in English: a vulnerability allows an attacker to bypass the security policy; versions prior to 4.4.15 are affected). No CVE identifier or CVSS score is attached to the CERT-FR notice yet; no exploitation in the wild has been reported.

The SPIP project blog characterises the underlying issue specifically as an open-redirect vulnerability in the cookie action — the "policy bypass" framing in the CERT-FR advisory is the standard generic catch-all used by ANSSI, not a separate finding. SPIP is the predominant CMS across French public administration — préfectures, ministries, research institutions — and the Francophone government sphere in Belgium, Switzerland (Romandie cantonal and communal sites) and Canada. Open-redirect issues in authenticated cookie paths are typically chained into account-impersonation or token-laundering against OAuth/OpenID-Connect identity providers, so the EU/CH public-sector risk is concrete even without a CVE in the loop yet. SPIP 4.4.15 is the immediate follow-on to the earlier-May 4.4.14 security release. Detection vantage: review SPIP access logs for unexpected redirect-parameter values on the cookie-action endpoint and any outbound 30x responses to attacker-controlled hosts; defenders should also note that Swiss cantonal and communal administrations using SPIP for public portals fall under the 24-hour NCSC.ch reporting obligation for critical-infrastructure operators if a SPIP intrusion is later confirmed.

Why it matters to us: every Romandie cantonal/communal SOC with a SPIP-built portal needs to patch in this cycle; the absence of a CVE makes it easy to overlook on automated patch-track reports.

threat23 May 05:00Zmulti-sourceOpen finding ↗

2026-05-18 · view entry permalink →

NOTABLE

Public administration — web-CMS and identity estate under multi-vector pressure

Public-sector web and identity infrastructure took hits from several directions this week: the actively-exploited Drupal pre-auth SQLi (§ 1), ANSSI/CERT-FR's CERTFR-2026-AVI-0635 on SPIP < 4.4.15 (the dominant French public-administration CMS), the unpatched Sparx Enterprise Architect chain and the Keycloak IAM cluster (§ 3), and Webworm's pivot to EU government targets (§ 7). Add the Krebs-reported CISA-contractor exposure of AWS GovCloud admin keys in a public GitHub repo for ~6 months (daily 2026-05-19) and the Rhysida Stuttgart claim (§ 5), and the week's signal is that the public-administration estate's CMS, IAM and cloud-credential surfaces are all live targets simultaneously. Prioritise the CMS/IAM patch SLAs and audit cloud-credential hygiene in contractor repositories.

synthesis18 May 05:00Zmulti-sourceOpen finding ↗

2026-05-13 · view entry permalink →

NOTABLE

CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)

CERT-FR's advisory CERTFR-2026-AVI-0564 (2026-05-12) covers multiple remote code execution flaws in SPIP — the open-source CMS that powers a substantial share of French ministry, université and francophone Swiss canton web sites (CERT-FR CERTFR-2026-AVI-0564, 2026-05-12; SPIP security bulletin, 2026-05-12). The SPIP bulletin describes two distinct RCE paths in versions prior to 4.4.14: one in the private (authenticated) area, and one in the public (unauthenticated) area "under specific nginx configurations" — the SPIP bulletin notes the bugs are "not covered by the security screen", meaning they bypass SPIP's built-in filter layer. No CVE identifiers are assigned in the vendor bulletin. Fixed in SPIP 4.4.14. No ITW reported. Detection concepts: monitor SPIP ecrire/ and front-end access logs for the SSTI / template-load gadget patterns the bulletin enumerates; on shared-host SPIP estates, audit the nginx reverse-proxy configuration for the unsafe location pattern. Hardening: upgrade to 4.4.14; on internet-facing SPIP, gate ecrire/ to a known admin source set at the reverse proxy.

vulnerability13 May 05:00Zmulti-sourceOpen finding ↗