UBUNTU-CVE-2026-26345

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-26345

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26345.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-26345

Upstream

CVE-2026-26345

Published

2026-02-19T16:27:00Z

Modified

2026-02-28T06:13:09.890014Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapperhtmlsuspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.

References

Affected packages

Ubuntu:16.04:LTS

spip

Package

Name: spip
Purl: pkg:deb/ubuntu/spip@3.0.21-1ubuntu1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.20-1

3.0.21-1

3.0.21-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.21-1ubuntu1",
            "binary_name": "spip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26345.json"

Ubuntu:22.04:LTS

spip

Package

Name: spip
Purl: pkg:deb/ubuntu/spip@4.0.4-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.11-3

3.2.12-1

4.*

4.0.2-1

4.0.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4.0.4-1",
            "binary_name": "spip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26345.json"

Ubuntu:24.04:LTS

spip

Package

Name: spip
Purl: pkg:deb/ubuntu/spip@4.2.9+dfsg-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.1.11+dfsg-1

4.1.12+dfsg-1

4.1.13+dfsg-1

4.1.15+dfsg-1

4.2.9+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4.2.9+dfsg-2",
            "binary_name": "spip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26345.json"

Ubuntu:25.10

spip

Package

Name: spip
Purl: pkg:deb/ubuntu/spip@4.4.3+dfsg-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3.8+dfsg-1

4.4.3+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4.4.3+dfsg-1",
            "binary_name": "spip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26345.json"

Ubuntu:Pro:18.04:LTS

spip

Package

Name: spip
Purl: pkg:deb/ubuntu/spip@3.1.4-4~deb9u5ubuntu0.1~esm2?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.4-3

3.1.4-4~deb9u3build0.18.04.1

3.1.4-4~deb9u5build0.18.04.1

3.1.4-4~deb9u5ubuntu0.1~esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.1.4-4~deb9u5ubuntu0.1~esm2",
            "binary_name": "spip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26345.json"

Ubuntu:Pro:20.04:LTS

spip

Package

Name: spip
Purl: pkg:deb/ubuntu/spip@3.2.7-1ubuntu0.1+esm2?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.4-1

3.2.5-1

3.2.7-1

3.2.7-1ubuntu0.1

3.2.7-1ubuntu0.1+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.2.7-1ubuntu0.1+esm2",
            "binary_name": "spip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26345.json"