Cyber Resilience

CVE-2026-27744

CriticalPublic PoCRCE

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0091 55.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27744 is a critical-severity Code Injection (CWE-94) vulnerability in Spip Tickets. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-27744 is an unauthenticated remote code execution vulnerability (CWE-94) affecting the SPIP tickets plugin in versions prior to 4.3.3. The issue arises in the forum preview handling for public ticket pages, where the plugin appends untrusted request parameters into HTML that is subsequently rendered by a template using unfiltered environment rendering (#ENV**). This disables SPIP's output filtering, allowing injected content to be evaluated through SPIP's template processing chain and resulting in code execution within the context of the web server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting malicious request parameters for the forum preview on public ticket pages, the attacker injects content that bypasses filtering and triggers arbitrary code execution on the server, potentially granting full compromise including data exfiltration, modification, or further lateral movement.

Advisories and references, including the SPIP security blog announcing version 4.4.10, a patch commit in the tickets plugin repository (869935b6687822ed79ad5477626a664d8ea6dcf7), the plugin page, and analyses from Chocapikk and VulnCheck, recommend updating the tickets plugin to version 4.3.3 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using…

more

unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated RCE vulnerability in a public-facing SPIP tickets plugin via crafted request parameters, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-71243Same vendor: Spip
CVE-2026-27745Same vendor: Spip
CVE-2026-22205Same vendor: Spip
CVE-2026-27475Same vendor: Spip
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94

Affected Assets

spip
tickets
≤ 4.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates untrusted request parameters before appending them into HTML templates, preventing injection of malicious content that leads to code execution.

prevent

Enforces output filtering on rendered HTML from templates using #ENV**, blocking the evaluation of injected crafted content through SPIP's processing chain.

prevent

Requires timely identification, reporting, and correction of the specific flaw in SPIP tickets plugin versions prior to 4.3.3 via patching.

References