Cross-Site Scripting Vulnerability in SPIP by SPIP Team
CVE-2026-26345

8.6HIGH

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 19 February 2026

What is CVE-2026-26345?

In versions of SPIP before 4.4.8, a vulnerability exists that allows for Cross-Site Scripting (XSS) in public areas of the application. The echapper_html_suspect() function fails to adequately filter all dangerous content, enabling attackers to inject malicious scripts. These scripts can be executed in the browsers of users accessing the affected areas, leading to potential data theft, session hijacking, or other harmful consequences. The vulnerability is not mitigated by the existing SPIP security screen, urging users to upgrade to the patched version to secure their environments.

Affected Version(s)

SPIP 4.4.0 < 4.4.8

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...

vendor-advisorypatch

https://git.spip.net/spip/spip

product

https://www.vulncheck.com/advisories/spip-cross-site-scri...

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 13, 2026

Credit

Arthur Deloffre (Vozec)

Louka Jacques-Chevallier (Laluka)

Philippe Boussin

CVE-2026-26345 Data

JSON