CVE-2026-27744

Name of the Vulnerable Software and Affected Versions SPIP tickets plugin versions prior to 4.3.3

Description The SPIP tickets plugin is affected by a remote code execution issue. An unauthenticated attacker can execute code on the web server through crafted content injection. The plugin appends untrusted request parameters into HTML that is rendered by a template using unfiltered environment rendering (#ENV), disabling SPIP output filtering. This allows the attacker to inject content that is evaluated by SPIP’s template processing chain.

Recommendations Update the SPIP tickets plugin to version 4.3.3 or later.