CVE-2026-27473

EUVD-2026-8319
SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
spipspip
4.4.0 ≤
𝑥
< 4.4.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
spip
bullseye
vulnerable
bullseye (security)
vulnerable
forky
4.4.13+dfsg-1
fixed
sid
4.4.13+dfsg-1
fixed
trixie
4.4.11+dfsg-0+deb13u1
fixed
trixie (security)
4.4.13+dfsg-0+deb13u1
fixed
Common Weakness Enumeration
References
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html
https://git.spip.net/spip/spip
https://www.vulncheck.com/advisories/spip-stored-cross-site-scripting-via-syndicated-sites