Insecure Deserialization in SPIP Affects Multiple Versions by SPIP Team
CVE-2025-71250

9.2CRITICAL

Key Information:

Vendor

Spip

Status
Spip
Vendor
CVE Published:
19 February 2026

What is CVE-2025-71250?

SPIP versions prior to 4.4.9 are susceptible to an Insecure Deserialization vulnerability that arises from the use of the table_valeur filter and DATA iterator, which accept serialized data from user input. An attacker with access to inject malicious serialized content can trigger arbitrary object instantiation, bringing about potential code execution. This flaw poses significant risks as the use of serialized data in these areas has been deprecated and will see removal in SPIP version 5. Notably, this vulnerability is not effectively mitigated by SPIP’s existing security measures.

Affected Version(s)

SPIP 4.4.0 < 4.4.9

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-S...
vendor-advisorypatch
https://git.spip.net/spip/spip
product
https://www.vulncheck.com/advisories/spip-insecure-deseri...
third-party-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dorian Piette (Trachinus)
.