CVE-2026-26345

SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
VulnCheckCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
spip
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
4.4.9+dfsg-1
fixed
trixie
vulnerable
References
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html
https://git.spip.net/spip/spip
https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-public-area