CVE-2026-27746

MEDIUM 6.1

SPIP jeux < 4.1.1 Reflected XSS via index Parameters

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.

CWE	CWE-79
Vendor	spip
Product	jeux
Published	Feb 25, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for spip jeux

Be the first to know when new medium vulnerabilities affecting spip jeux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

SPIP / jeux

0 < 4.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

chocapikk.com: https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/ blog.spip.net: https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html plugins.spip.net: https://plugins.spip.net/jeux git.spip.net: https://git.spip.net/spip-contrib-extensions/jeux/-/commit/3d240cffb258491acd72f8b37579e8a7417740ff vulncheck.com: https://www.vulncheck.com/advisories/spip-jeux-reflected-xss-via-index-parameters

Credits

Valentin Lobstein (Chocapikk) VulnCheck