Login Sign Up

CVE-2026-27744

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

The SPIP tickets plugin contains an unauthenticated remote code execution vulnerability in forum preview handling. Attackers can inject malicious content that gets executed through SPIP's template processing, allowing arbitrary code execution on affected web servers. All users running SPIP tickets plugin versions before 4.3.3 are affected.

💻 Affected Systems

Products:
  • SPIP tickets plugin
Versions: All versions prior to 4.3.3
Operating Systems: Any OS running SPIP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the tickets plugin to be installed and enabled with public ticket pages accessible.

📦 What is this software?

Tickets by Spip

View all CVEs affecting Tickets →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attacker to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.

🟠

Likely Case

Website defacement, data theft, or installation of web shells for persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation and web application firewalls are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in template processing with unfiltered environment rendering (#ENV**), making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.3

Vendor Advisory: https://plugins.spip.net/tickets

Restart Required: No

Instructions:

1. Update SPIP tickets plugin to version 4.3.3 or later. 2. Download from plugins.spip.net/tickets. 3. Replace the existing tickets plugin directory with the updated version. 4. Clear SPIP cache if applicable.

🔧 Temporary Workarounds

Disable public ticket pages

all

Temporarily disable public access to ticket pages until patching is complete.

Modify SPIP configuration to restrict access to ticket functionality

Web Application Firewall rule

all

Block requests containing suspicious template injection patterns.

Configure WAF to filter requests with #ENV patterns or unusual parameter values

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the vulnerable system
  • Deploy a web application firewall with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check the tickets plugin version in SPIP administration panel or examine the plugin directory version file.

Check Version:

Check the version.txt file in the tickets plugin directory or use SPIP's plugin management interface.

Verify Fix Applied:

Confirm tickets plugin version is 4.3.3 or higher in SPIP administration.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to ticket pages with #ENV patterns
  • Multiple failed exploitation attempts
  • Unexpected PHP/system command execution

Network Indicators:

  • HTTP requests containing template injection patterns (#ENV**)
  • Traffic to ticket preview endpoints with unusual parameters

SIEM Query:

web.url:*tickets* AND (web.param:*ENV* OR web.param:*%23ENV*)

📊 Metadata

CVE ID: CVE-2026-27744
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: February 25, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27744, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)