Cross-Site Scripting Vulnerability in SPIP by SPIP Team
CVE-2026-26345

8.6HIGH

Key Information:

Vendor

Spip

Status
Spip
Vendor
CVE Published:
19 February 2026

What is CVE-2026-26345?

In versions of SPIP before 4.4.8, a vulnerability exists that allows for Cross-Site Scripting (XSS) in public areas of the application. The echapper_html_suspect() function fails to adequately filter all dangerous content, enabling attackers to inject malicious scripts. These scripts can be executed in the browsers of users accessing the affected areas, leading to potential data theft, session hijacking, or other harmful consequences. The vulnerability is not mitigated by the existing SPIP security screen, urging users to upgrade to the patched version to secure their environments.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SPIP 4.4.0 < 4.4.8

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...
vendor-advisorypatch
https://git.spip.net/spip/spip
product
https://www.vulncheck.com/advisories/spip-cross-site-scri...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arthur Deloffre (Vozec)
Louka Jacques-Chevallier (Laluka)
Philippe Boussin
JSON
.