CVE-2026-27746

MEDIUM EPSS 10.1%
Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago
5.1 CVSS 4.0
Medium
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
10.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
spipjeux* <4.1.1

References 5

  • blog.spip.net https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
    Release Notes
  • chocapikk.com https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/
    Third Party Advisory
  • git.spip.net https://git.spip.net/spip-contrib-extensions/jeux/-/commit/3d240cffb258491acd72f8b37579e8a7417740ff
    Patch
  • plugins.spip.net https://plugins.spip.net/jeux
    Product
  • vulncheck.com https://www.vulncheck.com/advisories/spip-jeux-reflected-xss-via-index-parameters
    Third Party Advisory

Remediation

  • git.spip.net https://git.spip.net/spip-contrib-extensions/jeux/-/commit/3d240cffb258491acd72f8b37579e8a7417740ff
    Patch