CVE-2026-26345

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26345

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26345.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26345

Downstream

DEBIAN-CVE-2026-26345

DSA-6155-1

UBUNTU-CVE-2026-26345

Published

2026-02-19T16:27:16.003Z

Modified

2026-02-26T01:23:58.729573Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapperhtmlsuspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.

References

Affected packages

Git / git.spip.net/spip/spip

Affected ranges

Type: GIT
Repo: https://git.spip.net/spip/spip
Events: Introduced

34c023d47b424b5b4daebe8be37e2c4f1142ebc0

Fixed

70220f88459c9e4ccefa49e64b56d21963278578

Affected versions

4.*

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26345.json"