Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
SPIP Tickets Plugin: Unauthenticated Code Execution on Public Ticket Pages
CVE-2026-27744
Summary
The SPIP Tickets plugin on public ticket pages allows an attacker to execute code on your website without needing a password. This is a serious security risk because it could lead to unauthorized access or data theft. Update the plugin to version 4.3.3 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| spip | tickets | <= 4.3.3 | – |
Original title
The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted re...
Original description
The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-94
Code Injection
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html Release Notes
- https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/ Third Party Advisory
- https://git.spip.net/spip-contrib-extensions/tickets/-/commit/869935b6687822ed79... Patch
- https://plugins.spip.net/tickets Product
- https://www.vulncheck.com/advisories/spip-tickets-unauthenticated-rce Third Party Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026