Reflected Cross-Site Scripting Vulnerability in SPIP Jeux Plugin by SPIP
CVE-2026-27746

5.1MEDIUM

Key Information:

Vendor: Spip
Status: Jeux
Vendor: CVE Published:; 25 February 2026

Badges

👾 Exploit Exists

What is CVE-2026-27746?

The SPIP Jeux Plugin prior to version 4.1.1 exposes web applications to reflected cross-site scripting attacks. By improperly handling untrusted request parameters in the pre_propre pipeline, the plugin allows attackers to create specially crafted URLs. When victims click on these URLs, harmful scripts are injected into the responses, enabling the execution of arbitrary scripts within the user's browser context. This vulnerability poses a significant risk, potentially compromising user data and security.

Affected Version(s)

jeux 0 < 4.1.1

References

https://chocapikk.com/posts/2026/spip-plugins-vulnerabili...

technical-descriptionexploit

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...

vendor-advisory

https://plugins.spip.net/jeux

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 25, 2026
👾
Exploit known to exist
Feb 25, 2026
Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Valentin Lobstein (Chocapikk)

VulnCheck

CVE-2026-27746 Data

JSON

Spip

Badges

What is CVE-2026-27746?

Affected Version(s)

References

CVSS V4

Timeline

Credit