CVE-2026-27744

CRITICAL 9.8

SPIP tickets < 4.3.3 Unauthenticated RCE

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server.

CWE	CWE-94
Vendor	spip
Product	tickets
Published	Feb 25, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for spip tickets

Be the first to know when new critical vulnerabilities affecting spip tickets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

SPIP / tickets

0 < 4.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

chocapikk.com: https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/ blog.spip.net: https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html plugins.spip.net: https://plugins.spip.net/tickets git.spip.net: https://git.spip.net/spip-contrib-extensions/tickets/-/commit/869935b6687822ed79ad5477626a664d8ea6dcf7 vulncheck.com: https://www.vulncheck.com/advisories/spip-tickets-unauthenticated-rce

Credits

Valentin Lobstein (Chocapikk) VulnCheck