CVE-2025-71244 — Open Redirect in Spip

CWE-601 — Open Redirect5 documents5 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 91.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedFeb 19

Description

SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDspip/spip4.3.0 — 4.3.9+1

▶debiandebian/spip< spip 4.4.5+dfsg-1 (forky)

▶Debianspip/spip< 4.4.5+dfsg-1+1

🔴Vulnerability Details

OSV

CVE-2025-71244: SPIP before 4↗2026-02-19

▶

GHSA

GHSA-86cf-7cvr-x43r: SPIP before 4↗2026-02-19

▶

📋Vendor Advisories

Debian

CVE-2025-71244: spip - SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-71244 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶