CVE-2026-27744

CriticalPublic PoC

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 62.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using…

unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates untrusted request parameters before appending them into HTML templates, preventing injection of malicious content that leads to code execution.

SI-15 Information Output Filtering good match

prevent

Enforces output filtering on rendered HTML from templates using #ENV**, blocking the evaluation of injected crafted content through SPIP's processing chain.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific flaw in SPIP tickets plugin versions prior to 4.3.3 via patching.

Security SummaryAI

CVE-2026-27744 is an unauthenticated remote code execution vulnerability (CWE-94) affecting the SPIP tickets plugin in versions prior to 4.3.3. The issue arises in the forum preview handling for public ticket pages, where the plugin appends untrusted request parameters into HTML that is subsequently rendered by a template using unfiltered environment rendering (#ENV**). This disables SPIP's output filtering, allowing injected content to be evaluated through SPIP's template processing chain and resulting in code execution within the context of the web server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting malicious request parameters for the forum preview on public ticket pages, the attacker injects content that bypasses filtering and triggers arbitrary code execution on the server, potentially granting full compromise including data exfiltration, modification, or further lateral movement.

Advisories and references, including the SPIP security blog announcing version 4.4.10, a patch commit in the tickets plugin repository (869935b6687822ed79ad5477626a664d8ea6dcf7), the plugin page, and analyses from Chocapikk and VulnCheck, recommend updating the tickets plugin to version 4.3.3 or later to mitigate the issue.

Details

CWE(s): CWE-94

Affected Products

spip

tickets

≤ 4.3.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE vulnerability in a public-facing SPIP tickets plugin via crafted request parameters, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
Release Notes · disclosure@vulncheck.com
https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/
Third Party Advisory · disclosure@vulncheck.com
https://git.spip.net/spip-contrib-extensions/tickets/-/commit/869935b6687822ed79ad5477626a664d8ea6dcf7
Patch · disclosure@vulncheck.com
https://plugins.spip.net/tickets
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/spip-tickets-unauthenticated-rce
Third Party Advisory · disclosure@vulncheck.com