CVE-2026-27746
Reflected XSS in SPIP jeux Plugin pre_propre Pipeline
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spip | jeux | to 4.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27746 is a reflected cross-site scripting (XSS) vulnerability found in the SPIP jeux plugin versions prior to 4.1.1. The issue occurs in the pre_propre pipeline where the plugin incorporates untrusted request parameters into HTML output without proper output encoding. This allows attackers to inject arbitrary script content into pages that render a jeux block.'}, {'type': 'paragraph', 'content': "When a victim visits a specially crafted URL, the injected malicious script is reflected in the server response and executed within the victim's browser context."}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can allow attackers to execute arbitrary scripts in the context of a victim's browser when they visit a crafted URL containing malicious code. This can lead to theft of sensitive information such as cookies, session tokens, or other private data accessible to the browser."}, {'type': 'paragraph', 'content': 'It may also enable attackers to perform actions on behalf of the victim, manipulate the content displayed, or redirect the victim to malicious sites.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if your SPIP jeux plugin version is prior to 4.1.1 and by testing whether the application improperly reflects untrusted request parameters in the HTML output without proper encoding.'}, {'type': 'paragraph', 'content': 'One way to detect the vulnerability is to craft and send HTTP requests with script payloads in the parameters that are processed by the pre_propre pipeline and observe if the injected script is reflected in the response.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar tools to send a request with a script injection attempt in the URL parameters and check the response for reflected script content.'}, {'type': 'list_item', 'content': 'curl -i "http://your-spip-site/path?index=<script>alert(\'XSS\')</script>"'}, {'type': 'list_item', 'content': 'Check the HTTP response body for the presence of the injected script tag without proper encoding.'}, {'type': 'paragraph', 'content': 'If the script is reflected and executed in the browser context, the vulnerability is present.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the SPIP jeux plugin to version 4.1.1 or later, where the issue has been fixed by properly sanitizing and validating the indexes received via HTTP requests.
Until the upgrade can be applied, consider implementing web application firewall (WAF) rules to block or sanitize suspicious requests containing script tags or other potentially malicious input in the parameters processed by the jeux plugin.
Additionally, educate users to avoid clicking on suspicious or untrusted URLs that could exploit this reflected XSS vulnerability.