Register | Log in

spip

website engine for publishing

Choose email to subscribe with

general

source: spip (main)
version: 4.4.14+dfsg-1
maintainer: David Prévot (DMD) (LowNMU)
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.2.11-3+deb11u10
o-o-sec: 3.2.11-3+deb11u7
stable: 4.4.13+dfsg-0+deb13u1
stable-sec: 4.4.13+dfsg-0+deb13u1
unstable: 4.4.14+dfsg-1

versioned links

3.2.11-3+deb11u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.11-3+deb11u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.13+dfsg-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.14+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

spip (5 bugs: 0, 3, 2, 0)

action needed

3 security issues in trixie high

There are 3 open security issues in trixie.

2 important issues:

CVE-2026-8429: SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
CVE-2026-8430: SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.

1 issue left for the package maintainer to handle:

CVE-2023-53900: (needs triaging) Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-12-17 Last update: 2026-05-16 15:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2023-53900: Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.

Created: 2025-12-17 Last update: 2026-05-16 15:30

16 security issues in bullseye high

There are 16 open security issues in bullseye.

15 important issues:

CVE-2026-8429: SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
CVE-2026-8430: SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.
CVE-2025-71240: SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
CVE-2025-71241: SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
CVE-2025-71242: SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.
CVE-2025-71244: SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
CVE-2026-22205: SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.
CVE-2026-22206: SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
CVE-2026-26223: SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
CVE-2026-26345: SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.
CVE-2026-27472: SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.
CVE-2026-27473: SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
CVE-2026-27474: SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.
CVE-2026-27475: SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.
CVE-2026-33549: SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.

1 issue postponed or untriaged:

CVE-2023-53900: (needs triaging) Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.

Created: 2026-02-19 Last update: 2026-05-16 15:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2023-53900: Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.

Created: 2025-12-17 Last update: 2026-04-28 19:02

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-08 Last update: 2026-03-08 20:31

debian/patches: 2 patches to forward upstream low

Among the 5 debian patches available in version 4.4.14+dfsg-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-05-14 09:03

testing migrations

excuses:
- Migrates after: php-algo26-idna-convert, php-getid3, php-symfony-contracts, phpab, symfony
- Migration status for spip (- to 4.4.14+dfsg-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 4 of 5 days old
- ∙ ∙ Build-Depends(-Arch): spip php-algo26-idna-convert
- ∙ ∙ Build-Depends(-Arch): spip php-symfony-contracts
- ∙ ∙ Build-Depends(-Arch): spip phpab
- ∙ ∙ Build-Depends(-Arch): spip symfony
- ∙ ∙ Depends: spip php-algo26-idna-convert
- ∙ ∙ Depends: spip php-getid3
- ∙ ∙ Depends: spip php-symfony-contracts
- ∙ ∙ Depends: spip symfony
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/s/spip.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[2026-05-13] Accepted spip 4.4.14+dfsg-1 (source) into unstable (David Prévot)
[2026-05-08] spip REMOVED from testing (Debian testing watch)
[2026-03-22] Accepted spip 4.4.13+dfsg-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: David Prévot)
[2026-03-22] Accepted spip 4.4.13+dfsg-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: David Prévot)
[2026-03-13] spip 4.4.13+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-03-08] Accepted spip 4.4.13+dfsg-1 (source) into unstable (David Prévot)
[2026-03-05] Accepted spip 4.4.11+dfsg-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: David Prévot)
[2026-03-05] spip 4.4.11+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-03-03] Accepted spip 4.4.11+dfsg-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: David Prévot)
[2026-02-28] Accepted spip 4.4.11+dfsg-1 (source) into unstable (David Prévot)
[2026-02-27] Accepted spip 4.4.10+dfsg-1 (source) into unstable (David Prévot)
[2026-02-24] spip 4.4.9+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-02-19] Accepted spip 4.4.9+dfsg-1 (source) into unstable (David Prévot)
[2026-02-18] spip 4.4.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-02-13] Accepted spip 4.4.8+dfsg-1 (source) into unstable (David Prévot)
[2025-12-13] spip 4.4.7+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-12-08] Accepted spip 4.4.7+dfsg-1 (source) into unstable (David Prévot)
[2025-10-31] Accepted spip 4.4.3+dfsg-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: David Prévot)
[2025-10-16] spip 4.4.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-10-11] Accepted spip 4.4.6+dfsg-1 (source) into unstable (David Prévot)
[2025-09-14] spip 4.4.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-09-09] Accepted spip 4.4.5+dfsg-1 (source) into unstable (David Prévot)
[2025-06-10] Accepted spip 4.4.4+dfsg-1 (source) into experimental (David Prévot)
[2025-04-15] spip 4.4.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-04-10] Accepted spip 4.4.3+dfsg-1 (source) into unstable (David Prévot)
[2025-03-19] Accepted spip 4.4.2+dfsg-1 (source) into experimental (David Prévot)
[2025-03-17] spip 4.3.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-03-11] Accepted spip 4.3.8+dfsg-1 (source) into unstable (David Prévot)
[2025-01-22] spip 4.3.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-01-16] Accepted spip 4.3.6+dfsg-1 (source) into unstable (David Prévot)

1
2

bugs [bug history graph]

all: 6
RC: 0
I&N: 4
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.4.9+dfsg-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing