CVE-2026-27743
Published: 25 February 2026
Summary
CVE-2026-27743 is a critical-severity SQL Injection (CWE-89) vulnerability in Spip Referer Spam. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the unauthenticated SQL injection by requiring validation of the url parameter before interpolation into SQL LIKE clauses.
Enforces authorization checks missing in the referer_spam_ajouter and referer_spam_supprimer handlers, blocking unauthenticated access to vulnerable endpoints.
Requires timely remediation of the flaw through patching to referer_spam version 1.3.0 or later, addressing the lack of input sanitization and protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing SPIP plugin directly enables T1190 (exploit public-facing application). Allows arbitrary SQL for data exfiltration (T1213.006: databases) and modification/deletion (T1565.001: stored data manipulation).
NVD Description
The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without…
more
input validation or parameterization. The endpoints do not enforce authorization checks and do not use SPIP action protections such as securiser_action(), allowing remote attackers to execute arbitrary SQL queries.
Deeper analysisAI
CVE-2026-27743 is an unauthenticated SQL injection vulnerability (CWE-89) affecting the referer_spam plugin for the SPIP content management system in versions prior to 1.3.0. The issue resides in the referer_spam_ajouter and referer_spam_supprimer action handlers, which process a url parameter from GET requests and directly interpolate it into SQL LIKE clauses without input validation, parameterization, or authorization checks such as SPIP's securiser_action(). This flaw, published on 2026-02-25, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete database compromise.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting malicious GET requests to the affected endpoints, attackers can execute arbitrary SQL queries, enabling data exfiltration, modification, or deletion within the SPIP database, as well as potential privilege escalation or denial of service.
Advisories and patches, including the SPIP security update announcement for version 4.4.10, a fix commit in the referer_spam plugin repository (33682df73cd5f7e9c72d8c4d5088611fa2441683), and analyses from VulnCheck and Chocapikk, recommend immediate upgrade to referer_spam version 1.3.0 or later to address the lack of input sanitization and authorization. The plugin page on plugins.spip.net provides details on the updated release.
Details
- CWE(s)