CVE-2025-71241

Sažetak

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.

Reference

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.html
https://git.spip.net/spip/spip
https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area

CVSS

Base:	6.1
Impact:	2.7
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

02-03-2026 - 15:16

Objavljeno

19-02-2026 - 16:27