Description
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.
Published: 2026-02-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Immediate
AI Analysis

Impact

The SPIP jeux plugin versions earlier than 4.1.1 allow reflected cross‑site scripting. A malicious actor can include arbitrary script code in untrusted request parameters that are incorporated into the output during the pre_propre pipeline. The injected code is then reflected directly into the HTML served to a victim, executing in the victim’s browser and enabling malicious actions such as phishing or cookie theft.

Affected Systems

Systems running the SPIP jeux plug‑in with a version earlier than 4.1.1 are vulnerable. The anti‑template pre_propre pipeline in these versions fails to perform proper output encoding before embedding user‑supplied parameters into HTML. The vulnerability is specific to the jeu block rendering within SPIP sites.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, while the EPSS score of less than 1 % suggests a very low probability of real‑world exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to craft a URL or input containing malicious payloads that target the index parameters used by the plugin; the reflected script then runs with the victim’s browser privileges, potentially compromising user sessions or data. The risk level remains moderate, but the low exploitation likelihood limits immediate threat unless an attacker actively leverages this vector.

Generated by OpenCVE AI on April 16, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SPIP jeux plug‑in to version 4.1.1 or newer, which removes the reflected XSS flaw.
  • If an upgrade cannot be performed immediately, disable or remove the jeux block from pages that render user‑controlled index parameters to prevent script injection.
  • Verify that any custom templates or extensions that use the index parameters are coded to apply proper output escaping, such as converting special characters to HTML entities before insertion.

Generated by OpenCVE AI on April 16, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spip spip
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip spip

Fri, 27 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:spip:jeux:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip jeux
Vendors & Products Spip
Spip jeux

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.
Title SPIP jeux < 4.1.1 Reflected XSS via index Parameters
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Spip Jeux Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:27.353Z

Reserved: 2026-02-23T21:38:48.842Z

Link: CVE-2026-27746

cve-icon Vulnrichment

Updated: 2026-02-25T15:50:00.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:05.320

Modified: 2026-02-27T19:24:53.483

Link: CVE-2026-27746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses