关键漏洞信息 Advisory: SPIP < 4.4.9 Cross-Site Scripting in Private Area (Incomplete Fix) Severity: MEDIUM Date: 2/19/2026 Affected Software: SPIP CVE: CVE-2022-27474 Related CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Description: SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen. References: https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html https://git.spip.net/spip/spip Credit: Dorian Piette (Trachinus)