CVE-2026-26345
MEDIUMSPIP 4.4.0-4.4.8 - Authenticated Stored Cross-Site Scripting via echapper_html_suspect()
Title source: llmDescription
SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.
References (3)
Core 3
Core References
Various Sources vendor-advisory
patch
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html
Various Sources product
https://git.spip.net/spip/spip
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-public-area
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
8.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
spip/spip
4.4.0 - 4.4.8
Published
Feb 19, 2026
Tracked Since
Feb 19, 2026