CVE-2026-27474Cross-site Scripting in Spip

CWE-79Cross-site Scripting5 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 86.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SpipDebian Spip
Timeline
PublishedFeb 19

Description

SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

NVDspip/spip4.4.04.4.9
debiandebian/spip< spip 4.4.9+dfsg-1 (forky)
Debianspip/spip< 4.4.11+dfsg-0+deb13u1+1

🔴Vulnerability Details

2
GHSA
GHSA-c33v-v6jp-566m: SPIP before 42026-02-19
OSV
CVE-2026-27474: SPIP before 42026-02-19

📋Vendor Advisories

1
Debian
CVE-2026-27474: spip - SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complem...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27474 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27474 — Cross-site Scripting in Spip | cvebase