CVE-2026-27474

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.9

Description SPIP versions before 4.4.9 contain a Cross-Site Scripting (XSS) issue in the private area. A previous fix in SPIP 4.4.8 was incomplete, and the echappe anti xss() function was not consistently applied to input, form, button, and anchor () HTML tags. This allows an attacker to inject malicious scripts through these elements. The SPIP security screen does not mitigate this issue.