CVE-2026-27744 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 26, 2026
SPIP tickets plugin - Remote Code Execution
Overview
SPIP tickets plugin < 4.3.3 contains a remote code execution caused by unfiltered environment rendering in forum preview handling, letting unauthenticated attackers execute code via crafted content injection.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary code on the web server, potentially leading to full server compromise.
Mitigation
Upgrade to version 4.3.3 or later.
References
- https://git.spip.net/spip-contrib-extensions/tickets/-/commit/869935b6687822ed79ad5477626a664d8ea6dcf7
- https://plugins.spip.net/tickets
- https://www.vulncheck.com/advisories/spip-tickets-unauthenticated-rce
- https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
Social Media Activity(1 post)
š“ CVE-2026-27744 - Critical (9.8) The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered... š https://www.thehackerwire.com/vulnerability/CVE-2026-27744/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-27744
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- template_injection
- Status
- unconfirmed
- EPSS
- 22.5%
- Social Posts
- 1
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H