Cross-Site Scripting Vulnerability in SPIP by SPIP
CVE-2026-27474

4.8MEDIUM

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 19 February 2026

What is CVE-2026-27474?

SPIP versions prior to 4.4.9 are vulnerable to a Cross-Site Scripting (XSS) attack within the private area of the application. This vulnerability arises due to an incomplete fix from the previously released version 4.4.8. The root cause lies in the failure to consistently apply the echappe_anti_xss() function across critical HTML elements, including input fields, forms, buttons, and anchor tags. As a result, attackers can inject malicious scripts through these elements, which can compromise the integrity and security of the website.

Affected Version(s)

SPIP 4.4.0 < 4.4.9

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...

vendor-advisorypatch

https://git.spip.net/spip/spip

product

https://www.vulncheck.com/advisories/spip-cross-site-scri...

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 19, 2026

Credit

Dorian Piette (Trachinus)

CVE-2026-27474 Data

JSON

Spip

What is CVE-2026-27474?

Affected Version(s)

References

CVSS V4

Timeline

Credit