These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A low-severity open redirect vulnerability exists in SPIP's administrative interface (ecrire/action/cookie.php) prior to version 4.4.15. The vulnerability, classified as CWE-601, allows URL-based redirection to untrusted destinations. SPIP published a security advisory and released version 4.4.15 on May 24, 2026 to address this issue. The CVSS 3.1 score of 3.5 reflects the attack complexity requirements a [truncated]
CVE-2016-7999 is a high-severity server-side request forgery issue in SPIP 3.1.2 and earlier. A remote attacker can supply a URL through the var_url parameter in the valider_xml action, causing the server to make requests on the attacker’s behalf. NVD classifies the weakness as CWE-918 and scores it 7.4 with a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N.
CVE-2016-7998 is a high-severity authenticated remote code execution issue in SPIP's template composer/compiler. In affected SPIP 3.1.2 and earlier deployments, a remote authenticated user can upload a crafted HTML file containing INCLUDE or INCLURE tags and then access it through the valider_xml action to execute arbitrary PHP code.
CVE-2016-7982 is a high-severity directory traversal issue in SPIP’s ecrire/exec/valider_xml.php. The NVD record says remote attackers could use the var_url parameter in a valider_xml action to enumerate files on the system. The vulnerability is listed as affecting SPIP 3.1.2 and earlier.
CVE-2016-7981 is a cross-site scripting (XSS) issue in SPIP's valider_xml.php. NVD describes the flaw as allowing a remote attacker to inject arbitrary web script or HTML through the var_url parameter in a valider_xml action. The affected range listed by NVD is SPIP versions up to and including 3.1.2. Because the CVSS vector includes user interaction and changed scope, the main concern is browser-side scr [truncated]
CVE-2016-7980 is a high-severity CSRF issue in SPIP's XML validation handler. In SPIP 3.1.2 and earlier, a crafted valider_xml request can trick an administrator into triggering the XML validator on a local file, hijacking the administrator's authenticated session. NVD assigns CVSS 3.0 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The advisory also notes this issue can be combined with CVE-2016-7998 to reach [truncated]