PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48832 SPIP CVE debrief

A low-severity open redirect vulnerability exists in SPIP's administrative interface (ecrire/action/cookie.php) prior to version 4.4.15. The vulnerability, classified as CWE-601, allows URL-based redirection to untrusted destinations. SPIP published a security advisory and released version 4.4.15 on May 24, 2026 to address this issue. The CVSS 3.1 score of 3.5 reflects the attack complexity requirements and limited impact scope. Two commits in the SPIP Git repository implement the remediation.

Vendor
SPIP
Product
Unknown
CVSS
LOW 3.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-24
Original CVE updated
2026-05-26
Advisory published
2026-05-24
Advisory updated
2026-05-26

Who should care

SPIP site administrators, security teams managing content management systems, and organizations using SPIP for publishing platforms

Technical summary

The vulnerability resides in action/cookie.php within the ecrire administrative directory of SPIP installations. Open redirect weaknesses typically occur when user-supplied URL parameters are used to construct redirection responses without adequate validation. Successful exploitation could facilitate phishing attacks by presenting malicious destinations behind trusted SPIP domain URLs. The attack requires network access and low privileges, with high attack complexity due to required user interaction or specific conditions.

Defensive priority

low

Recommended defensive actions

  • Upgrade SPIP installations to version 4.4.15 or later
  • Review web server logs for suspicious redirect patterns targeting /ecrire/action/cookie.php
  • Implement URL validation on any custom redirect handling in SPIP environments
  • Verify Content Security Policy headers restrict navigation to trusted domains

Evidence notes

Official SPIP security advisory confirms fixed version 4.4.15. Git commits a22cb8a56f1e37ff3854b73ff3f66aa3df47070a and 75629034697ab52a963a340afd10930407e1cd55 contain the patches. NVD record shows deferred status as of May 26, 2026.

Official resources

public