CVE 2.1 LOW

SPIP < 4.4.8 Cross-Site Scripting in Public Area_CVE-2026-26345

February 19, 2026 invoker category_cve
2.1 / 10
LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.

Basic Information

ID CVE-2026-26345
Source VulnCheck
Published Feb 19, 2026 at 15:25

Affected Product

Vendor SPIP
Product SPIP
Version 4.4.0
Affected Versions SPIP SPIP 4.4.0

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.