Blind Server-Side Request Forgery in SPIP Affects Multiple Versions
CVE-2025-71247

5.3MEDIUM

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 19 February 2026

What is CVE-2025-71247?

The SPIP content management system, prior to version 4.4.9, is susceptible to a Blind Server-Side Request Forgery vulnerability. This weakness arises in the private area of the application, particularly while editing syndicated sites. The system fails to validate the syndication URL, allowing an authenticated attacker to direct the server to send requests to arbitrary internal or external destinations. Unfortunately, this issue is not addressed by the existing SPIP security measures, posing a significant risk for users and their data.

Affected Version(s)

SPIP 4.4.0 < 4.4.9

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...

vendor-advisorypatch

https://git.spip.net/spip/spip

product

https://www.vulncheck.com/advisories/spip-blind-server-si...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 19, 2026

Credit

Dorian Piette (Trachinus)

CVE-2025-71247 Data

JSON

Spip

What is CVE-2025-71247?

Affected Version(s)

References

CVSS V4

Timeline

Credit