Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
SPIP Jeux Plugin: Unsecure Code Injects Malicious Content
CVE-2026-27746
Summary
Versions of the SPIP Jeux plugin prior to 4.1.1 are susceptible to a security threat. An attacker could trick a user into visiting a specially crafted URL, which would inject malicious code into the page and execute it in the user's browser. To protect your site, update to version 4.1.1 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| spip | jeux | <= 4.1.1 | – |
Original title
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML ...
Original description
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages that render a jeux block. When a victim is induced to visit a crafted URL, the injected content is reflected into the response and executed in the victim's browser context.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html Release Notes
- https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/ Third Party Advisory
- https://git.spip.net/spip-contrib-extensions/jeux/-/commit/3d240cffb258491acd72f... Patch
- https://plugins.spip.net/jeux Product
- https://www.vulncheck.com/advisories/spip-jeux-reflected-xss-via-index-parameter... Third Party Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026