SPIP < 4.3.6 Cross-Site Scripting in Private Area_CVE-2025-71241

4.8 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.

Basic Information

ID CVE-2025-71241

Source VulnCheck

Published Feb 19, 2026 at 14:58

Affected Product

Vendor SPIP

Product SPIP

Version 4.1.0

Affected Versions SPIP SPIP 4.1.0
SPIP SPIP 4.2.0
SPIP SPIP 4.3.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.",
    "published": "2026-02-19T14:58:13.755Z",
    "modified": "2026-02-19T14:58:13.755Z",
    "type": "cve",
    "title": "SPIP < 4.3.6 Cross-Site Scripting in Private Area",
    "source": "VulnCheck",
    "references": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.html\nhttps://git.spip.net/spip/spip\nhttps://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area",
    "id": "CVE-2025-71241",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "SPIP SPIP 4.1.0\nSPIP SPIP 4.2.0\nSPIP SPIP 4.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SPIP",
    "version": "4.1.0",
    "vendor": "SPIP",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}