NuytsTech Security

CVE-2026-27746

by ·

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim’s browser context.

More information : https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html

Tags: