Vulnerability Description
SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.g., author-level roles and above) to inject malicious scripts. The injected payload may be rendered across multiple pages within the framework and execute in the browser context of other users, including administrators. Successful exploitation can allow attackers to perform actions in the security context of the victim user, including unauthorized modification of application state. This vulnerability is not mitigated by the SPIP security screen.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spip | Spip | >= 4.4.0, < 4.4.8 |
Related Weaknesses (CWE)
References
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.htmlVendor AdvisoryRelease Notes
- https://git.spip.net/spip/spipProduct
- https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-public-areaThird Party Advisory
FAQ
What is CVE-2026-26345?
CVE-2026-26345 is a vulnerability with a CVSS score of 5.4 (MEDIUM). SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately ...
How severe is CVE-2026-26345?
CVE-2026-26345 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26345?
Check the references section above for vendor advisories and patch information. Affected products include: Spip Spip.