CVE-2026-26223

Medium CVSS: 5.1

SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.

Vendor

Spip

Product

Spip

CWE

CWE-79

Yayın Tarihi

2026-02-19 16:27:15

Güncelleme

2026-03-02 15:16:35

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-79 Spip MEDIUM Spip 2026

Referanslar

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html https://git.spip.net/spip/spip https://www.vulncheck.com/advisories/spip-cross-site-scripting-via-iframe-tags-in-private-area

Benzer Kayıtlar

High

CVE-2026-22205

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows una…

High

CVE-2026-22206

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to exe…

High

CVE-2026-27745

The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulne…

Medium

CVE-2026-27746

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_pro…

High

CVE-2026-27747

The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability…

Critical

CVE-2026-27743

The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the refer…