Unauthenticated Remote Code Execution in SPIP Tickets Plugin by SPIP
CVE-2026-27744

9.3CRITICAL

Key Information:

Vendor

Spip

Status
Tickets
Vendor
CVE Published:
25 February 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-27744?

The SPIP Tickets plugin, prior to version 4.3.3, is vulnerable to an unauthenticated remote code execution issue. This vulnerability arises in the forum preview handling of public ticket pages where untrusted request parameters are appended into HTML. The plugin's reliance on unfiltered environment rendering (#ENV) prevents any output filtering by SPIP. Consequently, this allows an attacker to inject malicious content that can be executed through the SPIP template processing chain, enabling the execution of arbitrary code on the web server.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

tickets 0 < 4.3.3

References

https://chocapikk.com/posts/2026/spip-plugins-vulnerabili...
technical-descriptionexploit
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...
vendor-advisory
https://plugins.spip.net/tickets
product

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
VulnCheck
JSON
.