{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79860?format=json","vulnerability_id":"VCID-8mrh-pf8f-mydd","summary":"SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.","aliases":[{"alias":"CVE-2026-27474"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/104296?format=json","purl":"pkg:deb/debian/spip@4.4.9%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spip@4.4.9%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/104295?format=json","purl":"pkg:deb/debian/spip@4.4.11%2Bdfsg-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spip@4.4.11%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1075346?format=json","purl":"pkg:deb/debian/spip@4.4.13%2Bdfsg-0%2Bdeb13u1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spip@4.4.13%252Bdfsg-0%252Bdeb13u1"},{"url":"http://public2.vulnerablecode.io/api/packages/104262?format=json","purl":"pkg:deb/debian/spip@4.4.13%2Bdfsg-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spip@4.4.13%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/104261?format=json","purl":"pkg:deb/debian/spip@4.4.15%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spip@4.4.15%252Bdfsg-1%3Fdistro=trixie"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/104259?format=json","purl":"pkg:deb/debian/spip@3.2.11-3%2Bdeb11u10?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-24re-eqmh-akd4"},{"vulnerability":"VCID-5b25-j5mt-9kcq"},{"vulnerability":"VCID-8mrh-pf8f-mydd"},{"vulnerability":"VCID-9995-pmaf-eyae"},{"vulnerability":"VCID-bp8a-ff2x-73fk"},{"vulnerability":"VCID-e3hd-52jb-nfd1"},{"vulnerability":"VCID-gq4a-14cp-vbdy"},{"vulnerability":"VCID-hhkw-kf21-tugn"},{"vulnerability":"VCID-jnqg-ch1a-4fh6"},{"vulnerability":"VCID-mc7r-2vp9-d7cf"},{"vulnerability":"VCID-mv9y-czzw-5bgt"},{"vulnerability":"VCID-pjah-vzwr-jyem"},{"vulnerability":"VCID-xdz8-ngbr-fufg"},{"vulnerability":"VCID-xm8k-j298-ekck"},{"vulnerability":"VCID-y5s7-ewss-qyaa"},{"vulnerability":"VCID-znpb-3hsx-1ycu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spip@3.2.11-3%252Bdeb11u10%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1075345?format=json","purl":"pkg:deb/debian/spip@3.2.11-3%2Bdeb11u10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-24re-eqmh-akd4"},{"vulnerability":"VCID-5b25-j5mt-9kcq"},{"vulnerability":"VCID-8mrh-pf8f-mydd"},{"vulnerability":"VCID-9995-pmaf-eyae"},{"vulnerability":"VCID-bp8a-ff2x-73fk"},{"vulnerability":"VCID-e3hd-52jb-nfd1"},{"vulnerability":"VCID-gq4a-14cp-vbdy"},{"vulnerability":"VCID-hhkw-kf21-tugn"},{"vulnerability":"VCID-jnqg-ch1a-4fh6"},{"vulnerability":"VCID-mc7r-2vp9-d7cf"},{"vulnerability":"VCID-mv9y-czzw-5bgt"},{"vulnerability":"VCID-pjah-vzwr-jyem"},{"vulnerability":"VCID-xdz8-ngbr-fufg"},{"vulnerability":"VCID-xm8k-j298-ekck"},{"vulnerability":"VCID-y5s7-ewss-qyaa"},{"vulnerability":"VCID-znpb-3hsx-1ycu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spip@3.2.11-3%252Bdeb11u10"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27474","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20475","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20298","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20473","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20496","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27474"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27474","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27474"},{"reference_url":"https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html","reference_id":"Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T20:09:10Z/"}],"url":"https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html"},{"reference_url":"https://git.spip.net/spip/spip","reference_id":"spip","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T20:09:10Z/"}],"url":"https://git.spip.net/spip/spip"},{"reference_url":"https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area-incomplete-fix","reference_id":"spip-cross-site-scripting-in-private-area-incomplete-fix","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T20:09:10Z/"}],"url":"https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area-incomplete-fix"}],"weaknesses":[],"exploits":[],"severity_range_score":"4.8 - 6.1","exploitability":"0.5","weighted_severity":"3.7","risk_score":1.9,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8mrh-pf8f-mydd"}