{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-33549", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-22T02:03:47.214Z", "datePublished": "2026-03-22T02:03:47.629Z", "dateUpdated": "2026-04-02T17:58:46.498Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SPIP", "vendor": "SPIP", "versions": [{"lessThan": "4.4.13", "status": "affected", "version": "4.4.10", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-688", "description": "CWE-688 Function Call With Incorrect Variable or Reference as Argument", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T17:58:46.498Z"}, "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-13.html?lang=fr"}, {"url": "https://git.spip.net/spip/prive/-/merge_requests/131"}, {"url": "https://git.spip.net/spip/prive/-/commit/b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.10", "versionEndExcluding": "4.4.13"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:16:40.053533Z", "id": "CVE-2026-33549", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:53:39.209Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T15:16:40.053533Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:16:41.626Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SPIP", "product": "SPIP", "versions": [{"status": "affected", "version": "4.4.10", "lessThan": "4.4.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-13.html?lang=fr"}, {"url": "https://git.spip.net/spip/prive/-/merge_requests/131"}, {"url": "https://git.spip.net/spip/prive/-/commit/b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-688", "description": "CWE-688 Function Call With Incorrect Variable or Reference as Argument"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.4.13", "versionStartIncluding": "4.4.10"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T17:58:46.498Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33549", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:58:46.498Z", "dateReserved": "2026-03-22T02:03:47.214Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-22T02:03:47.629Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "matchCriteriaId": "8197275A-C3D1-4830-B871-4D6232E0F142", "versionEndExcluding": "4.4.13", "versionStartIncluding": "4.4.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling."}, {"lang": "es", "value": "SPIP 4.4.10 hasta 4.4.12 antes de 4.4.13 permite la asignaci\u00f3n de privilegios no intencionada (de privilegios de administrador) durante la edici\u00f3n de una estructura de datos de autor debido a un manejo incorrecto de STATUT."}], "id": "CVE-2026-33549", "lastModified": "2026-04-17T21:13:29.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-22T03:16:01.237", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Release Notes"], "url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-13.html?lang=fr"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://git.spip.net/spip/prive/-/commit/b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://git.spip.net/spip/prive/-/merge_requests/131"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-688"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.4.10,4.4.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SPIP", "source": "cna", "vendor": "SPIP"}, "product": "spip", "vendor": "spip"}], "analysis": {"en": {"generated_at": "2026-04-02T22:18:00.377418+00:00", "value": {"mitigation_remediation": ["Apply the SPIP 4.4.13 release or later, which removes the mistaken STATUT handling and restores correct privilege checks."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue affects SPIP CMS versions 4.4.10 through 4.4.12. The vendor SPIP is identified as the affected product. Users running these releases are susceptible to the flaw, while version 4.4.13 and later are not impacted.", "description_and_impact": "The vulnerability resides in the author management feature of SPIP CMS, where the status field is incorrectly handled, allowing a non\u2011administrator to assign administrator privileges to an author record. This flaw permits an attacker to elevate privileges to full administrative control over the site, potentially compromising confidential data, modifying site settings, and executing further attacks. The weakness corresponds to inadvertent privilege assignment as classified by CWE\u2011688.", "risk_and_exploitability": "The CVSS score of 6.7 places the vulnerability in the medium severity range, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting it has not yet been abused in the wild. However, exploitation is feasible via the normal administrative interface; an attacker would need to create or edit an author record, after which the SYSTEM could grant administrative rights. This represents a significant risk to site owners who rely on the default SPIP author management workflow."}}}}, "created": "2026-03-23T09:46:46.321428+00:00", "updated": "2026-04-03T09:39:16.601390+00:00", "vendors": ["spip", "spip$PRODUCT$spip"]}