CVE-2026-8429

NameCVE-2026-8429
DescriptionSPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6296-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
spip (PTS)bullseye3.2.11-3+deb11u10vulnerable
bullseye (security)3.2.11-3+deb11u7vulnerable
trixie4.4.13+dfsg-0+deb13u1vulnerable
trixie (security)4.4.15+dfsg-0+deb13u1fixed
sid4.4.15+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
spipsourcetrixie4.4.15+dfsg-0+deb13u1DSA-6296-1
spipsource(unstable)4.4.14+dfsg-1
Search for package or bug name: Reporting problems