{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27473", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-19T18:34:45.840Z", "datePublished": "2026-02-19T18:38:26.735Z", "dateUpdated": "2026-03-05T01:31:17.619Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SPIP", "vendor": "SPIP", "versions": [{"lessThan": "4.4.9", "status": "affected", "version": "4.4.0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.9", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Dorian Piette (Trachinus)"}], "datePublic": "2026-02-18T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.</p>"}], "value": "SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:31:17.619Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html"}, {"tags": ["product"], "url": "https://git.spip.net/spip/spip"}, {"name": "VulnCheck Advisory: SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/spip-stored-cross-site-scripting-via-syndicated-sites"}], "source": {"discovery": "EXTERNAL"}, "title": "SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites", "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:08:24.969447Z", "id": "CVE-2026-27473", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:08:37.706Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27473", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T20:08:24.969447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:08:32.019Z"}}], "cna": {"title": "SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Dorian Piette (Trachinus)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SPIP", "product": "SPIP", "versions": [{"status": "affected", "version": "4.4.0", "lessThan": "4.4.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-18T00:00:00.000Z", "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html", "tags": ["vendor-advisory", "patch"]}, {"url": "https://git.spip.net/spip/spip", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/spip-stored-cross-site-scripting-via-syndicated-sites", "name": "VulnCheck Advisory: SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.", "supportingMedia": [{"type": "text/html", "value": "<p>SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.4.9", "versionStartIncluding": "4.4.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:31:17.619Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27473", "state": "PUBLISHED", "dateUpdated": "2026-03-05T01:31:17.619Z", "dateReserved": "2026-02-19T18:34:45.840Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-19T18:38:26.735Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "matchCriteriaId": "1590B61F-3E4B-4634-849E-E46C8BD6AA93", "versionEndExcluding": "4.4.9", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details."}, {"lang": "es", "value": "SPIP anterior a 4.4.9 permite Cross-Site Scripting Almacenado (XSS) a trav\u00e9s de sitios sindicados en el \u00e1rea privada. La salida #URL_SYNDIC no se sanea correctamente en la p\u00e1gina privada del sitio sindicado, permitiendo a un atacante que puede establecer una URL de sindicaci\u00f3n maliciosa inyectar scripts persistentes que se ejecutan cuando otros administradores ven los detalles del sitio sindicado."}], "id": "CVE-2026-27473", "lastModified": "2026-02-24T19:44:24.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-19T19:22:30.363", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory", "Release Notes"], "url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://git.spip.net/spip/spip"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/spip-stored-cross-site-scripting-via-syndicated-sites"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.4.0,4.4.9)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "SPIP", "source": "cna", "vendor": "SPIP"}, "product": "spip", "vendor": "spip"}], "analysis": {"en": {"generated_at": "2026-04-17T17:59:13.036874+00:00", "value": {"mitigation_remediation": ["Upgrade the SPIP installation to version 4.4.9 or later, which includes the fix for the stored XSS issue.", "If an immediate upgrade is not feasible, disable the syndicated site feature or remove all syndicated sites until the patch is applied.", "Sanitize or delete any existing syndication URLs that contain user\u2011controlled input to eliminate already injected scripts.", "Enforce stricter input validation on the syndication URL field to prevent future injection attempts."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting allowing persistent scripts to run for administrators."}, "threat_synthesis": {"affected_systems": "The affected product is SPIP; all releases older than 4.4.9 are vulnerable. No specific patches or sub\u2011versions are listed beyond the version threshold, so any installation running a pre\u20114.4.9 release may be affected.", "description_and_impact": "A stored cross\u2011site scripting vulnerability exists in SPIP versions prior to 4.4.9. The syndication URL that appears on the private syndicated site page is not properly sanitized, permitting an attacker to inject malicious scripts into the #URL_SYNDIC output. When an administrator later opens the syndicated site details, the injected scripts are executed in their browser, potentially delivering persistent client\u2011side code to that user.", "risk_and_exploitability": "The CVSS base score of 5.1 indicates moderate risk. The EPSS score of less than 1% suggests that exploitation attempts are expected to be rare. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires the attacker to have the ability to set or modify a syndicated site URL, which generally implies administrative or privileged access. Once the malicious URL is in place, any administrator who views the syndicated site detail page will have the injected scripts executed in their browser."}}}}, "created": "2026-02-20T10:05:57.584016+00:00", "updated": "2026-04-17T18:00:12.194762+00:00", "vendors": ["spip", "spip$PRODUCT$spip"]}