Description
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Published: 2026-02-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting in SPIP back‑office via iframe tags
Action: Immediate Update
AI Analysis

Impact

SPIP versions prior to 4.4.8 allow malicious code to be injected into the back‑office through iframe tags because the application fails to escape or sandbox iframe content. This cross‑site scripting flaw is identified as CWE‑79 and can enable an attacker to run arbitrary scripts in the context of the private area, potentially exfiltrating credentials, injecting malware, and modifying or deleting content.

Affected Systems

The vulnerability affects the SPIP CMS platform for all releases older than 4.4.8. Administrators operating any of those versions are at risk; newer releases incorporate a sandbox attribute on all iframe elements in the private area, eliminating the flaw.

Risk and Exploitability

The issue is scored CVSS 5.1, indicating moderate severity, and has an EPSS score of less than 1 % meaning current exploitation activity is expected to be very low. It is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the back‑office, so the attack surface is limited to users with administrative or privileged session rights. Once an attacker is inside the private area, they can craft payloads that exploit the unsanitized iframe tags and run scripts within the site’s context.

Generated by OpenCVE AI on April 16, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official SPIP 4.4.8 update or later to include the iframe sandbox fix.
  • For sites that cannot update immediately, remove or disable iframe tags in the back‑office editor or add manual sanitization to block script execution.
  • Verify that the back‑office remains accessible only to trusted administrators and review role‑based access controls to minimize the number of users who can deposit content that might include iframes.

Generated by OpenCVE AI on April 16, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6155-1 spip security update
History

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 23 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen. SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.

Fri, 20 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

 cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Title SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area
First Time appeared Spip
Spip spip
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip
Spip spip
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Spip Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:00.381Z

Reserved: 2026-02-11T20:08:07.945Z

Link: CVE-2026-26223

cve-icon Vulnrichment

Updated: 2026-02-19T19:50:52.624Z

cve-icon NVD

Status : Modified

Published: 2026-02-19T16:27:15.817

Modified: 2026-03-02T15:16:35.063

Link: CVE-2026-26223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses