CVE-2025-71241 — Cross-site Scripting in Spip

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 89.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedFeb 19

Description

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶NVDspip/spip4.1.0 — 4.1.20+2

▶debiandebian/spip< spip 4.3.6+dfsg-1 (forky)

▶Debianspip/spip< 4.3.6+dfsg-1+1

🔴Vulnerability Details

OSV

CVE-2025-71241: SPIP before 4↗2026-02-19

▶

GHSA

GHSA-rpjf-2xrw-h2w5: SPIP before 4↗2026-02-19

▶

📋Vendor Advisories

Debian

CVE-2025-71241: spip - SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the p...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-71241 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶