CVE-2026-27743 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 26, 2026
SPIP referer_spam - SQL Injection
Overview
SPIP referer_spam plugin < 1.3.0 contains an unauthenticated SQL injection caused by direct interpolation of the url parameter in SQL LIKE clauses in referer_spam_ajouter and referer_spam_supprimer handlers, letting remote attackers execute arbitrary SQL queries without authorization.
Severity & Score
Impact
Remote attackers can execute arbitrary SQL queries, potentially leading to data disclosure, modification, or full database compromise.
Mitigation
Update to version 1.3.0 or later.
References
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
- https://git.spip.net/spip-contrib-extensions/referer_spam/-/commit/33682df73cd5f7e9c72d8c4d5088611fa2441683
- https://plugins.spip.net/referer_spam.html
- https://www.vulncheck.com/advisories/spip-referer-spam-unauthenticated-sql-injection
- https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/
Social Media Activity(1 post)
š“ CVE-2026-27743 - Critical (9.8) The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpo... š https://www.thehackerwire.com/vulnerability/CVE-2026-27743/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-27743
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- sql_injection
- Status
- unconfirmed
- EPSS
- 8.5%
- Social Posts
- 1
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H