CVE-2026-27744

The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html	Release Notes
https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/	Third Party Advisory
https://git.spip.net/spip-contrib-extensions/tickets/-/commit/869935b6687822ed79ad5477626a664d8ea6dcf7	Patch
https://plugins.spip.net/tickets	Product
https://www.vulncheck.com/advisories/spip-tickets-unauthenticated-rce	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:spip:tickets:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-25 04:16

Updated : 2026-02-27 19:41

NVD link : CVE-2026-27744

Mitre link : CVE-2026-27744

CVE.ORG link : CVE-2026-27744

JSON object : View

Products Affected

spip

tickets

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-27744", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-25T04:16:04.973", "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://git.spip.net/spip-contrib-extensions/tickets/-/commit/869935b6687822ed79ad5477626a664d8ea6dcf7", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://plugins.spip.net/tickets", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/spip-tickets-unauthenticated-rce", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The SPIP tickets plugin versions prior to\u00a04.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server."}, {"lang": "es", "value": "El plugin SPIP tickets versiones anteriores a la 4.3.3 contienen una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo no autenticada en el manejo de la vista previa del foro para p\u00e1ginas p\u00fablicas de tickets. El plugin a\u00f1ade par\u00e1metros de solicitud no confiables en HTML que luego es renderizado por una plantilla usando renderizado de entorno sin filtrar (#ENV**), lo que desactiva el filtrado de salida de SPIP. Como resultado, un atacante no autenticado puede inyectar contenido dise\u00f1ado que es evaluado a trav\u00e9s de la cadena de procesamiento de plantillas de SPIP, lo que lleva a la ejecuci\u00f3n de c\u00f3digo en el contexto del servidor web."}], "lastModified": "2026-02-27T19:41:32.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spip:tickets:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47C0628A-EA35-4D36-8BC6-D16269289E55", "versionEndExcluding": "4.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}