SPIP tickets < 4.3.3 Unauthenticated RCE

The impact of CVE-2026-27744 is severe. An attacker can leverage this vulnerability to gain complete control over the web server hosting the SPIP Tickets plugin. This could involve data theft, modification of website content, installation of malware, or even complete system compromise. The lack of authentication required to exploit this vulnerability significantly broadens the attack surface, making it accessible to a wide range of threat actors. The use of unfiltered environment rendering (#ENV**) amplifies the risk, allowing for complex code injection and execution within the SPIP template processing chain. This vulnerability shares similarities with other template injection vulnerabilities where untrusted data is directly incorporated into rendered output without proper sanitization.

Websites and applications utilizing the SPIP Tickets plugin, particularly those with public ticket forums enabled, are at significant risk. Shared hosting environments where multiple websites share the same server instance are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Legacy SPIP installations running older versions of the plugin are also at heightened risk.

• php: Examine web server access logs for unusual POST requests to the forum preview endpoint, particularly those containing suspicious HTML or JavaScript code.

grep -i 'script|eval|javascript' /var/log/apache2/access.log

• php: Check the SPIP Tickets plugin configuration for any unusual settings related to template rendering or environment variables. • generic web: Monitor for unexpected file modifications or creation within the SPIP installation directory, which could indicate successful code execution. • generic web: Review PHP error logs for any errors related to template processing or environment variable expansion.

1. 2026-02-25Disclosure

   disclosure

1. Reservado2026-02-23
2. Publicada2026-02-25
3. Modificada2026-03-05
4. EPSS atualizado2026-03-23

The primary mitigation for CVE-2026-27744 is to immediately upgrade the SPIP Tickets plugin to version 4.3.3 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the complexity of the injection point, carefully reviewing and restricting user input in the forum preview functionality can reduce the attack surface. Disabling the public ticket preview feature, if not essential, is another potential short-term mitigation. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the exploit scenario with a test payload; successful mitigation should prevent code execution.