CVE-2026-26345 — Cross-site Scripting in Spip

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

8.6HIGHNVD

EPSS

0.0%

top 86.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedFeb 19

Description

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, includin…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDspip/spip4.4.0 — 4.4.8

▶debiandebian/spip< spip 4.4.9+dfsg-1 (forky)

▶Debianspip/spip< 4.4.11+dfsg-0+deb13u1+1

🔴Vulnerability Details

OSV

CVE-2026-26345: SPIP before 4↗2026-02-19

▶

GHSA

GHSA-7wc5-wjpj-2r5j: SPIP before 4↗2026-02-19

▶

📋Vendor Advisories

Debian

CVE-2026-26345: spip - SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26345 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶