Unrated severityNVD Advisory· Published Feb 19, 2026· Updated Mar 5, 2026
SPIP < 4.4.9 Cross-Site Scripting in Private Area (Incomplete Fix)
CVE-2026-27474
Description
SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.htmlmitrevendor-advisorypatch
- www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area-incomplete-fixmitrethird-party-advisory
News mentions
0No linked articles in our index yet.