CVE-2026-27744
Published: 25 February 2026
Summary
CVE-2026-27744 is a critical-severity Code Injection (CWE-94) vulnerability in Spip Tickets. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates untrusted request parameters before appending them into HTML templates, preventing injection of malicious content that leads to code execution.
Enforces output filtering on rendered HTML from templates using #ENV**, blocking the evaluation of injected crafted content through SPIP's processing chain.
Requires timely identification, reporting, and correction of the specific flaw in SPIP tickets plugin versions prior to 4.3.3 via patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE vulnerability in a public-facing SPIP tickets plugin via crafted request parameters, directly enabling exploitation of public-facing applications.
NVD Description
The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using…
more
unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server.
Deeper analysisAI
CVE-2026-27744 is an unauthenticated remote code execution vulnerability (CWE-94) affecting the SPIP tickets plugin in versions prior to 4.3.3. The issue arises in the forum preview handling for public ticket pages, where the plugin appends untrusted request parameters into HTML that is subsequently rendered by a template using unfiltered environment rendering (#ENV**). This disables SPIP's output filtering, allowing injected content to be evaluated through SPIP's template processing chain and resulting in code execution within the context of the web server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting malicious request parameters for the forum preview on public ticket pages, the attacker injects content that bypasses filtering and triggers arbitrary code execution on the server, potentially granting full compromise including data exfiltration, modification, or further lateral movement.
Advisories and references, including the SPIP security blog announcing version 4.4.10, a patch commit in the tickets plugin repository (869935b6687822ed79ad5477626a664d8ea6dcf7), the plugin page, and analyses from Chocapikk and VulnCheck, recommend updating the tickets plugin to version 4.3.3 or later to mitigate the issue.
Details
- CWE(s)