CVE-2016-7982 Spip CVE debrief

Who should care

Administrators and security teams responsible for SPIP 3.1.2 and earlier, especially on systems where the SPIP application is reachable over the network. Hosting providers and managed-service teams supporting SPIP deployments should also review exposure.

Technical summary

The NVD entry classifies the issue as CWE-22 (path traversal) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The affected CPE range in the record ends at SPIP 3.1.2. Reference links point to a vendor repository revision (23200), mailing-list discussion, and a third-party advisory describing the file-enumeration path traversal condition.

Defensive priority

High. The vulnerability is network-reachable, requires no privileges or user interaction per the published CVSS vector, and can expose file contents or file system layout through enumeration.

Recommended defensive actions

• Upgrade SPIP to a version later than 3.1.2 or apply the vendor fix referenced in repository revision 23200.
• Review whether ecrire/exec/valider_xml.php is exposed in your deployment and restrict access where possible.
• Check logs and application telemetry for requests involving valider_xml or suspicious var_url values.
• If immediate remediation is not possible, reduce exposure of the affected SPIP instance until patched.

Evidence notes

Based on the supplied NVD record and linked references: the vulnerability is CVE-2016-7982, published on 2017-01-18, with a later NVD modification timestamp of 2026-05-13. The record states SPIP 3.1.2 and earlier are vulnerable, identifies CWE-22, and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. References include the SPIP revision 23200 patch entry and a Sysdream advisory about SPIP file enumeration via path traversal.

Official resources