Cyber Resilience

CVE-2026-33549

Medium

Published: 22 March 2026

Published
22 March 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0024 14.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33549 is a medium-severity Function Call With Incorrect Variable or Reference as Argument (CWE-688) vulnerability in Spip Spip. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33549 is a privilege escalation vulnerability in SPIP, an open-source content management system, affecting versions 4.4.10 through 4.4.12 prior to 4.4.13. The flaw stems from improper handling of the STATUT field during the editing of an author data structure, enabling unintended assignment of administrator privileges. It is classified under CWE-688 (Incorrect Comparison Logic for Function Return Value with Origin) and carries a CVSS v3.1 base score of 6.7 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L), indicating medium severity with high confidentiality and integrity impacts.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into performing a specific edit action. Successful exploitation allows the attacker to elevate privileges to administrator level, potentially granting full control over the SPIP instance, including high-impact access to sensitive data (C:H), modification of site content and configurations (I:H), and limited disruption to availability (A:L).

The official SPIP security advisory recommends immediate upgrade to version 4.4.13, which addresses the issue via a specific commit (b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e) and associated merge request. Details are available in the SPIP blog post announcing the release and the corresponding Git repository changes.

EU & UK References

Vulnerability details

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a privilege escalation vulnerability allowing an authenticated low-privileged user to gain administrator rights via improper STATUT field handling in the SPIP CMS author editing flow; this directly matches T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22206Same product: Spip Spip
CVE-2026-22205Same product: Spip Spip
CVE-2026-27475Same product: Spip Spip
CVE-2025-71243Same vendor: Spip
CVE-2026-27747Same vendor: Spip
CVE-2026-27743Same vendor: Spip
CVE-2026-27745Same vendor: Spip
CVE-2026-27744Same vendor: Spip

Affected Assets

spip
spip
4.4.10 — 4.4.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the privilege escalation flaw by requiring timely identification, reporting, and correction through patching to version 4.4.13, addressing the STATUT mishandling.

prevent

Enforces least privilege to prevent low-privilege authenticated users from editing author data structures in ways that assign administrator privileges.

prevent

Requires proper management of user accounts and privileges to avoid unintended assignments during author data structure modifications.

References