关键信息 漏洞名称:SPIP < 4.4.8 Cross-Site Scripting in Public Area 严重程度:Medium 日期:2/19/2026 影响版本:SPIP <= 4.4.0 CVE:CVE-2026-26345 CVE描述:CVE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS评分:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N 参考链接: - https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-8.html 📕 - https://git.spip.net/spip/spip 📕 报告者: - Arthur Deloffre (Vozec) - Louka Jacques-Chevallier (Laluka) - Philippe Boussin 描述: - SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.