PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7998 Spip CVE debrief

CVE-2016-7998 is a high-severity authenticated remote code execution issue in SPIP's template composer/compiler. In affected SPIP 3.1.2 and earlier deployments, a remote authenticated user can upload a crafted HTML file containing INCLUDE or INCLURE tags and then access it through the valider_xml action to execute arbitrary PHP code.

Vendor
Spip
Product
CVE-2016-7998
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

SPIP site operators, application owners, and incident responders should care most, especially where authenticated users can upload HTML content or otherwise interact with template processing features. Hosting teams managing SPIP instances and defenders reviewing suspicious authenticated activity should also prioritize this issue.

Technical summary

NVD maps the vulnerable scope to SPIP versions up to and including 3.1.2. The CVE description states that the template composer/compiler can be abused by a remote authenticated user who uploads a crafted HTML file with INCLUDE or INCLURE tags and then triggers it via valider_xml, resulting in arbitrary PHP code execution. NVD assigns CVSS 3.0 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-20.

Defensive priority

High priority for any SPIP installation at or below 3.1.2, because the impact is full application compromise through authenticated code execution. Remediation should be treated as urgent if authenticated uploads or template compilation paths are reachable.

Recommended defensive actions

  • Upgrade SPIP to a fixed version newer than 3.1.2.
  • Apply the vendor fixes referenced by revisions 23186, 23189, and 23192.
  • Review authenticated upload workflows and remove or restrict HTML upload capabilities where possible.
  • Audit application and web logs for suspicious authenticated HTML uploads and unusual valider_xml activity.
  • Check exposed SPIP instances and verify that no affected version remains in production or staging.
  • If immediate upgrading is delayed, restrict access to the affected functionality and limit who can upload or modify HTML content.

Evidence notes

The source corpus includes the CVE description, NVD CPE scope, CVSS vector, and vendor/mailing-list references. NVD lists affected SPIP versions up to 3.1.2, CVSS 3.0 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and CWE-20. Public references point to October 2016 mailing-list discussion, SPIP repository revisions 23186/23189/23192, a SecurityFocus entry, and a Sysdream advisory. The CVE record was published on 2017-01-18 and later modified on 2026-05-13; those dates are record timing, not the underlying issue date.

Official resources

The supplied references indicate public discussion and advisory activity in October 2016, including mailing-list posts and a Sysdream write-up dated 2016-10-19. The CVE/NVD record itself was published on 2017-01-18 and later modified on 202