Unrated severityNVD Advisory· Published Feb 19, 2026· Updated Mar 5, 2026

SPIP < 4.4.9 Cross-Site Scripting in Private Area (Incomplete Fix)

CVE-2026-27474

Description

SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.

Affected products

Spip/Spipv5
Range: 4.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.htmlmitrevendor-advisorypatch
www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area-incomplete-fixmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000