Home

Description

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.

PUBLISHED Reserved 2026-02-19 | Published 2026-02-19 | Updated 2026-02-20 | Assigner VulnCheck




MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

4.1.0 (semver) before 4.1.20
affected

4.2.0 (semver) before 4.2.17
affected

4.3.0 (semver) before 4.3.6
affected

Credits

Glop finder

Tom finder

Mika finder

References

blog.spip.net/...-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.html vendor-advisory patch

git.spip.net/spip/spip product

www.vulncheck.com/...ip-cross-site-scripting-in-private-area (VulnCheck Advisory: SPIP < 4.3.6 Cross-Site Scripting in Private Area) third-party-advisory

cve.org (CVE-2025-71241)

nvd.nist.gov (CVE-2025-71241)

Download JSON