CVE-2026-27746 PUBLISHED

SPIP jeux < 4.1.1 Reflected XSS via index Parameters

Assigner: VulnCheck
Reserved: 23.02.2026 Published: 25.02.2026 Updated: 25.02.2026

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Product Status

Vendor SPIP
Product jeux
Versions Default: unaffected
  • affected from 0 to 4.1.1 (excl.)

Credits

  • Valentin Lobstein (Chocapikk) finder
  • VulnCheck coordinator

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE