How to Fix CVE-2026-27744: tickets (Bundle Sibling)

By Sai Kiran Pandrala. Last verified: 2026-05-25.

CVE-2026-27744 is a sibling vulnerability in the same vendor advisory as CVE-2026-22205. Apply the same patched build and you close both. The technical detail below is what differs.

What's different about CVE-2026-27744?

The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the context of the web server.

How to fix CVE-2026-27744

Apply the patched build per the primary write-up: How to Fix CVE-2026-22205. All commands, verification steps, and rollback notes for tickets are listed there.

Frequently asked questions

Does the CVE-2026-22205 patch close CVE-2026-27744?

Yes. Both CVEs are addressed by the same vendor patch. Applying the patched build closes the full bundle.

Is CVE-2026-27744 listed in CISA KEV?

No public KEV listing at the time of this writing.

Where is the official advisory?

See https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html

References

• Official vendor advisory: https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27744
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary: How to Fix CVE-2026-22205

*Written by Sai Kiran Pandrala. Part of the tickets bundle. Full procedure at how-to-fix-cve-2026-22205.*