{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-33549", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-22T02:03:47.214Z", "datePublished": "2026-03-22T02:03:47.629Z", "dateUpdated": "2026-03-23T15:53:39.209Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SPIP", "vendor": "SPIP", "versions": [{"lessThan": "4.4.13", "status": "affected", "version": "4.4.10", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-688", "description": "CWE-688 Function Call With Incorrect Variable or Reference as Argument", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-22T02:24:29.207Z"}, "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-13.html?lang=fr"}, {"url": "https://git.spip.net/spip/prive/-/merge_requests/131"}, {"url": "https://git.spip.net/spip/prive/-/commit/b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:16:40.053533Z", "id": "CVE-2026-33549", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:53:39.209Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SPIP", "product": "SPIP", "versions": [{"status": "affected", "version": "4.4.10", "lessThan": "4.4.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-13.html?lang=fr"}, {"url": "https://git.spip.net/spip/prive/-/merge_requests/131"}, {"url": "https://git.spip.net/spip/prive/-/commit/b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-688", "description": "CWE-688 Function Call With Incorrect Variable or Reference as Argument"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-22T02:24:29.207Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T15:16:40.053533Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-23T15:16:41.626Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33549", "state": "PUBLISHED", "dateUpdated": "2026-03-22T02:24:29.207Z", "dateReserved": "2026-03-22T02:03:47.214Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-22T02:03:47.629Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling."}], "id": "CVE-2026-33549", "lastModified": "2026-03-23T14:31:37.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-22T03:16:01.237", "references": [{"source": "cve@mitre.org", "url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-13.html?lang=fr"}, {"source": "cve@mitre.org", "url": "https://git.spip.net/spip/prive/-/commit/b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e"}, {"source": "cve@mitre.org", "url": "https://git.spip.net/spip/prive/-/merge_requests/131"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-688"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.4.10,4.4.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SPIP", "source": "cna", "vendor": "SPIP"}, "product": "spip", "vendor": "spip"}], "analysis": {"en": {"generated_at": "2026-03-22T03:51:18.441723+00:00", "value": {"mitigation_remediation": ["Upgrade to SPIP 4.4.13 or newer"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "SPIP versions 4.4.10, 4.4.11, and 4.4.12 are affected; the issue is resolved in 4.4.13 and newer releases.", "description_and_impact": "The flaw lets a user unintentionally assign administrator rights while editing an author's profile, giving full control over a SPIP site. This elevates an attacker\u2019s privileges to site\u2011wide administration, enabling modification of content, configuration, and user accounts, thereby impacting confidentiality, integrity, and availability.", "risk_and_exploitability": "The moderate CVSS score of 6.7 reflects a risk that can be exercised by an authenticated user with author\u2011editing rights. Exploitation would occur through the web interface that processes author data. No public exploitation reports or inclusion in known\u2011exploited\u2011vulnerability lists have been documented, and the probability of exploitation remains uncertain due to missing EPSS data."}}}}, "created": "2026-03-23T09:46:46.321428+00:00", "title": "Privilege Escalation via Unauthorized Administrator Assignment in SPIP CMS", "updated": "2026-03-25T14:46:46.661630+00:00", "vendors": ["spip", "spip$PRODUCT$spip"]}