Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
SPIP Jeux Plugin: Untrusted Input Injects Harmful Code into Pages
CVE-2026-27746
Summary
The SPIP jeux plugin fails to properly sanitize user input, allowing attackers to inject malicious code into pages that display jeux blocks. This could lead to unauthorized actions being performed on a user's account. Update the plugin to version 4.1.1 or later to fix this issue.
Original title
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML ...
Original description
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.
osv CVSS3.1
6.1
- https://plugins.spip.net/jeux URL
- https://www.vulncheck.com/advisories/spip-jeux-reflected-xss-via-index-parameter... Vendor Advisory
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html Vendor Advisory
- https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/ Vendor Advisory
- https://git.spip.net/spip-contrib-extensions/jeux/-/commit/3d240cffb258491acd72f... Patch
Published: 25 Feb 2026 · Updated: 14 Mar 2026 · First seen: 14 Mar 2026