- **Advisories**: SPIP interface_traduction_objets < 2.2.2 Authenticated RCE - **Severity**: High - **Date**: 2/24/2026 - **Affected Versions**: Versions of the SPIP interface_traduction_objets plugin prior to 4.3.3 - **CVE Identifier**: CVE-2026-27745 - **Vulnerability Type**: CWE-94: Improper Control of Generation of Code ('Code Injection') - **CVSS V4 Vector**: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - **References**: - [SPIP interface_traduction_objets Plugin Webpage](#webpage-url) - [SPIP interface_traduction_objets Plugin Fix Commit](#fix-commit-url) - **Credit**: Valentin Lobstein (Chocapikk) - **Description**: Versions of the SPIP interface_traduction_objets plugin prior to 4.3.3 contain an authenticated remote code execution vulnerability within the translation interface workflow. This vulnerability allows authenticated attackers with editor-level privileges to inject crafted content that is subsequently evaluated as code.