Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-26345

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns.
Back to all
CVE

CVE-2026-26345

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns.

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapperhtmlsuspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.6
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://git.spip.net/spip/spip, https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html, https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-public-area

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0.0005%
EPSS Percentile
0.15452%
Introduced Version
34c023d47b424b5b4daebe8be37e2c4f1142ebc0,0
Fix Available
70220f88459c9e4ccefa49e64b56d21963278578,4.4.11+dfsg-0+deb13u1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading