Description
SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
Published: 2026-02-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing persistent scripts to run for administrators.
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in SPIP versions prior to 4.4.9. The syndication URL that appears on the private syndicated site page is not properly sanitized, permitting an attacker to inject malicious scripts into the #URL_SYNDIC output. When an administrator later opens the syndicated site details, the injected scripts are executed in their browser, potentially delivering persistent client‑side code to that user.

Affected Systems

The affected product is SPIP; all releases older than 4.4.9 are vulnerable. No specific patches or sub‑versions are listed beyond the version threshold, so any installation running a pre‑4.4.9 release may be affected.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate risk. The EPSS score of less than 1% suggests that exploitation attempts are expected to be rare. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires the attacker to have the ability to set or modify a syndicated site URL, which generally implies administrative or privileged access. Once the malicious URL is in place, any administrator who views the syndicated site detail page will have the injected scripts executed in their browser.

Generated by OpenCVE AI on April 17, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SPIP installation to version 4.4.9 or later, which includes the fix for the stored XSS issue.
  • If an immediate upgrade is not feasible, disable the syndicated site feature or remove all syndicated sites until the patch is applied.
  • Sanitize or delete any existing syndication URLs that contain user‑controlled input to eliminate already injected scripts.
  • Enforce stricter input validation on the syndication URL field to prevent future injection attempts.

Generated by OpenCVE AI on April 17, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6155-1 spip security update
History

Tue, 24 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
Title SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites
First Time appeared Spip
Spip spip
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip
Spip spip
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Spip Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:17.619Z

Reserved: 2026-02-19T18:34:45.840Z

Link: CVE-2026-27473

cve-icon Vulnrichment

Updated: 2026-02-20T20:08:32.019Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T19:22:30.363

Modified: 2026-02-24T19:44:24.070

Link: CVE-2026-27473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses