CVE-2026-27746

Medium CVSS: 5.1

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.

Vendor

Spip

Product

Jeux

CWE

CWE-79

Yayın Tarihi

2026-02-25 04:16:05

Güncelleme

2026-02-27 19:24:53

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-79 Jeux MEDIUM Spip 2026

Referanslar

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/ https://git.spip.net/spip-contrib-extensions/jeux/-/commit/3d240cffb258491acd72f8b37579e8a7417740ff https://plugins.spip.net/jeux https://www.vulncheck.com/advisories/spip-jeux-reflected-xss-via-index-parameters

Benzer Kayıtlar

High

CVE-2026-22205

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows una…

High

CVE-2026-22206

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to exe…

High

CVE-2026-27745

The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulne…

High

CVE-2026-27747

The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability…

Critical

CVE-2026-27743

The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the refer…

Critical

CVE-2026-27744

The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the fo…