Advisories: SPIP interface_traduction_objets < 2.2.2 Authenticated RCE Severity: High Date: 2/24/2026 Affected Versions: Versions of the SPIP interface_traduction_objets plugin prior to 4.3.3 CVE Identifier: CVE-2026-27745 Vulnerability Type: CWE-94: Improper Control of Generation of Code ('Code Injection') CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N References: - SPIP interface_traduction_objets Plugin Webpage - SPIP interface_traduction_objets Plugin Fix Commit Credit: Valentin Lobstein (Chocapikk) Description: SPIP interface_traduction_objets plugin versions prior to 4.3.3 contain an authenticated remote code execution vulnerability in the translation interface workflow. The vulnerability allows authenticated attackers with editor-level privileges to inject crafted content that is evaluated as code.