DEBIAN-CVE-2026-26345

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-26345

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26345.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-26345

Upstream

CVE-2026-26345

Downstream

DSA-6155-1

Published

2026-02-19T16:27:16.003Z

Modified

2026-03-03T12:01:27.057034Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapperhtmlsuspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.

References

https://security-tracker.debian.org/tracker/CVE-2026-26345

Affected packages

Debian:11 / spip

Package

Name: spip
Purl: pkg:deb/debian/spip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.11-3

3.2.11-3+deb11u1

3.2.11-3+deb11u2

3.2.11-3+deb11u3

3.2.11-3+deb11u4

3.2.11-3+deb11u5

3.2.11-3+deb11u6

3.2.11-3+deb11u7

3.2.11-3+deb11u8

3.2.11-3+deb11u9

3.2.11-3+deb11u10

3.2.12-1

4.*

4.0.1-1

4.0.2-1

4.0.4-1

4.0.5-1

4.1.0~alpha+dfsg-1

4.1.0~beta+dfsg-1

4.1.0~rc+dfsg-1

4.1.1+dfsg-1

4.1.2+dfsg-1

4.1.5+dfsg-1

4.1.7+dfsg-1

4.1.8+dfsg-1

4.1.9+dfsg-1

4.1.10+dfsg-1

4.1.11+dfsg-1

4.1.12+dfsg-1

4.1.13+dfsg-1

4.1.15+dfsg-1

4.1.15+dfsg-2

4.2.2+dfsg-1

4.2.3+dfsg-1

4.2.4+dfsg-1

4.2.5+dfsg-1

4.2.6+dfsg-1

4.2.7+dfsg-1

4.2.8+dfsg-1

4.2.9+dfsg-1

4.2.9+dfsg-2

4.2.10+dfsg-1

4.2.11+dfsg-1

4.2.12+dfsg-1

4.2.13+dfsg-1

4.2.14+dfsg-1

4.3.0~alpha+dfsg-1

4.3.0~alpha.2+dfsg-1

4.3.0~beta+dfsg-1

4.3.0+dfsg-1

4.3.1+dfsg-1

4.3.2+dfsg-1

4.3.3+dfsg-1

4.3.4+dfsg-1

4.3.5+dfsg-1

4.3.6+dfsg-1

4.3.8+dfsg-1

4.4.2+dfsg-1

4.4.3+dfsg-1

4.4.4+dfsg-1

4.4.5+dfsg-1

4.4.6+dfsg-1

4.4.7+dfsg-1

4.4.8+dfsg-1

4.4.9+dfsg-1

4.4.10+dfsg-1

4.4.11+dfsg-1

4.4.13+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26345.json"

Debian:13 / spip

Package

Name: spip
Purl: pkg:deb/debian/spip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.4.11+dfsg-0+deb13u1

Affected versions

4.*

4.4.3+dfsg-1

4.4.3+dfsg-1+deb13u1

4.4.4+dfsg-1

4.4.5+dfsg-1

4.4.6+dfsg-1

4.4.7+dfsg-1

4.4.8+dfsg-1

4.4.9+dfsg-1

4.4.10+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26345.json"

Debian:14 / spip

Package

Name: spip
Purl: pkg:deb/debian/spip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.4.9+dfsg-1

Affected versions

4.*

4.4.3+dfsg-1

4.4.4+dfsg-1

4.4.5+dfsg-1

4.4.6+dfsg-1

4.4.7+dfsg-1

4.4.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26345.json"