Cross-Site Scripting Vulnerability in SPIP by SPIP team
CVE-2025-71241

4.8MEDIUM

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 19 February 2026

What is CVE-2025-71241?

The SPIP content management system versions prior to 4.3.6, 4.2.17, and 4.1.20 are susceptible to a Cross-Site Scripting (XSS) vulnerability. This issue arises in the private area of the application, specifically through an inadequately sanitized error message generated by the 'transmettre' API. Attackers can exploit this flaw by injecting malicious scripts, potentially compromising the integrity of the application. Mitigation is available through the implementation of the SPIP security screen.

Affected Version(s)

SPIP 4.1.0 < 4.1.20

SPIP 4.2.0 < 4.2.17

SPIP 4.3.0 < 4.3.6

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...

vendor-advisorypatch

https://git.spip.net/spip/spip

product

https://www.vulncheck.com/advisories/spip-cross-site-scri...

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 19, 2026

Credit

Glop

Tom

Mika

CVE-2025-71241 Data

JSON

Spip

What is CVE-2025-71241?

Affected Version(s)

References

CVSS V4

Timeline

Credit