CVE-2026-27474

SPIP < 4.4.9 Cross-Site Scripting in Private Area (Incomplete Fix)

Description

SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.

INFO

Published Date :

2026-02-19T18:38:57.683Z

Last Modified :

2026-03-05T01:31:18.391Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2026-27474 vulnerability.

Vendors	Products
Spip	Spip

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27474.

URL	Resource
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html
https://git.spip.net/spip/spip
https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area-incomplete-fix

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact