Cyber Resilience

CVE-2022-26846

High

Published: 10 March 2022

Published
10 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0580 90.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26846 is a high-severity an unspecified weakness vulnerability in Debian Debian Linux. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

SPIP, a content management system, is affected by CVE-2022-26846 in all versions before 3.2.14 and 4.x before 4.0.5. The flaw permits remote authenticated users with editor privileges to execute arbitrary code on the server, carrying a CVSS 3.1 base score of 8.8 that reflects network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.

An attacker who already possesses a valid editor account can exploit the issue over the network without user interaction, achieving code execution that can lead to complete system compromise. The vulnerability therefore expands the reach of any compromised or malicious editor account into full remote code execution.

Official advisories from the SPIP project and Debian recommend immediate upgrade to SPIP 3.2.14 or 4.0.5, which contain the fixes; corresponding package updates were issued for Debian stable and oldstable releases. The associated EPSS score has remained flat at 0.058 since disclosure, indicating no significant surge in observed exploitation interest.

EU & UK References

Vulnerability details

SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

spip
spip
≤ 3.2.14 · 4.0.0 — 4.0.5
debian
debian linux
10.0, 11.0, 9.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References