How to Fix CVE-2026-27743: referer_spam (Bundle Sibling)

By Sai Kiran Pandrala. Last verified: 2026-05-25.

CVE-2026-27743 is a sibling vulnerability in the same vendor advisory as CVE-2026-22205. Apply the same patched build and you close both. The technical detail below is what differs.

What's different about CVE-2026-27743?

The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input validation or parameterization. The endpoints do not enforce authorization checks and do not use SPIP action protections such as securiser_action(), allowing remote attackers to execute arbitrary SQL queries.

How to fix CVE-2026-27743

Apply the patched build per the primary write-up: How to Fix CVE-2026-22205. All commands, verification steps, and rollback notes for referer_spam are listed there.

Frequently asked questions

Does the CVE-2026-22205 patch close CVE-2026-27743?

Yes. Both CVEs are addressed by the same vendor patch. Applying the patched build closes the full bundle.

Is CVE-2026-27743 listed in CISA KEV?

No public KEV listing at the time of this writing.

Where is the official advisory?

See https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html

References

• Official vendor advisory: https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27743
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary: How to Fix CVE-2026-22205

*Written by Sai Kiran Pandrala. Part of the referer_spam bundle. Full procedure at how-to-fix-cve-2026-22205.*