Vulnerability DatabaseCVE-2026-27475

CVE-2026-27475:
Linux Debian vulnerability analysis and mitigation

SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

9.2

Score

Published February 19, 2026

Severity CRITICAL

CNA Score 9.2

Affected Technologies

Linux Debian
Echo

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 34.5

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

spip

Sources

NVD
Debian Security Tracker
- Debian 11 Severity HIGHNo FixAdded at: Feb 20, 2026
- Debian 13, 14 Severity HIGHHas FixAdded at: Feb 20, 2026
Echo
- Echo Severity HIGHHas FixAdded at: Feb 20, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-41445	HIGH	8.7	Linux Debian	kissfft	No	No	Apr 20, 2026
CVE-2026-28684	MEDIUM	6.6	Linux Debian	python-dotenv	No	No	Apr 20, 2026
CVE-2026-6654	MEDIUM	5.1	Rust	thin-vec	No	Yes	Apr 20, 2026
CVE-2026-3219	MEDIUM	4.6	Linux Debian	python-pip	No	No	Apr 20, 2026
CVE-2026-5958	LOW	2.1	Linux Debian	sed	No	No	Apr 20, 2026