Home

Description

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.

PUBLISHED Reserved 2026-02-19 | Published 2026-02-19 | Updated 2026-02-20 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Product status

Default status
unaffected

4.1.0 (semver) before 4.1.20
affected

4.2.0 (semver) before 4.2.17
affected

4.3.0 (semver) before 4.3.6
affected

Credits

SPIP security team finder

References

blog.spip.net/...-jour-de-securite-sortie-de-SPIP-4-3-6.html vendor-advisory patch

git.spip.net/spip/spip product

www.vulncheck.com/...on-bypass-leading-to-content-disclosure (VulnCheck Advisory: SPIP < 4.3.6 Authorization Bypass Leading to Content Disclosure) third-party-advisory

cve.org (CVE-2025-71242)

nvd.nist.gov (CVE-2025-71242)

Download JSON