Cross-Site Scripting Vulnerability in SPIP by SPIP Team
CVE-2025-71249

4.8MEDIUM

Key Information:

Vendor

Spip

Status
Spip
Vendor
CVE Published:
19 February 2026

What is CVE-2025-71249?

A vulnerability exists in SPIP prior to version 4.4.9 that allows for Cross-Site Scripting in the private area due to an incomplete fix from version 4.4.8. The echappe_anti_xss() function is not consistently applied across all input fields, including form, button, and anchor (a) HTML tags. This oversight enables attackers to inject harmful scripts through these elements, posing significant risks to users who interact with the affected areas. The existing SPIP security measures do not adequately mitigate this flaw.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SPIP 4.4.0 < 4.4.9

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...
vendor-advisorypatch
https://git.spip.net/spip/spip
product
https://www.vulncheck.com/advisories/spip-cross-site-scri...
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dorian Piette (Trachinus)
JSON
.