CVE-2026-26223

SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html	Release Notes Vendor Advisory
https://git.spip.net/spip/spip	Product
https://www.vulncheck.com/advisories/spip-cross-site-scripting-via-iframe-tags-in-private-area	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*

History

02 Mar 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html - Vendor Advisory, Release Notes~~	() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html - Release Notes, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~5.4~~	v2 : unknown v3 : 6.1

24 Feb 2026, 19:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:spip:spip::::::::
References	~~() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html -~~	() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html - Vendor Advisory, Release Notes
References	~~() https://git.spip.net/spip/spip -~~	() https://git.spip.net/spip/spip - Product
References	~~() https://www.vulncheck.com/advisories/spip-cross-site-scripting-via-iframe-tags-in-private-area -~~	() https://www.vulncheck.com/advisories/spip-cross-site-scripting-via-iframe-tags-in-private-area - Third Party Advisory
CWE		CWE-79
First Time		Spip spip Spip

23 Feb 2026, 19:22

Type	Values Removed	Values Added
Summary		(es) SPIP anterior a 4.4.8 permite cross-site scripting (XSS) en el área privada a través de etiquetas iframe maliciosas. La aplicación no aísla correctamente en un sandbox ni escapa el contenido de iframe en el back-office, permitiendo a un atacante inyectar y ejecutar scripts maliciosos. La solución añade un atributo sandbox a las etiquetas iframe en el área privada. Esta vulnerabilidad no es mitigada por la pantalla de seguridad de SPIP.
Summary	(en) SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.	(en) SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.

19 Feb 2026, 16:27

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-19 16:27

Updated : 2026-03-02 15:16

NVD link : CVE-2026-26223

Mitre link : CVE-2026-26223

CVE.ORG link : CVE-2026-26223

JSON object : View

Products Affected

spip

spip

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10