CVE-2026-26345 – SPIP < 4.4.8 Cross-Site Scripting in Public Area

CVE ID : CVE-2026-26345

Published : Feb. 19, 2026, 4:27 p.m. | 33 minutes ago

Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor’s browser. This vulnerability is not mitigated by the SPIP security screen.

Severity: 4.7 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…