CVE-2026-27744 - Vulnerability Analysis

Overview

SPIP tickets plugin < 4.3.3 contains a remote code execution caused by unfiltered environment rendering in forum preview handling, letting unauthenticated attackers execute code via crafted content injection.

Severity & Score

Impact

Unauthenticated attackers can execute arbitrary code on the web server, potentially leading to full server compromise.

Mitigation

Upgrade to version 4.3.3 or later.

References

• https://git.spip.net/spip-contrib-extensions/tickets/-/commit/869935b6687822ed79ad5477626a664d8ea6dcf7
• https://plugins.spip.net/tickets
• https://www.vulncheck.com/advisories/spip-tickets-unauthenticated-rce
• https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner