CVE-2026-27746

SPIP jeux < 4.1.1 Reflected XSS via index Parameters

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Productos afectados

SPIP · jeux

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/https://git.spip.net/spip-contrib-extensions/jeux/-/commit/3d240cffb258491acd72f8b37579e8a7417740ff https://plugins.spip.net/jeux https://www.vulncheck.com/advisories/spip-jeux-reflected-xss-via-index-parameters