CVE-2025-71249
Received Received - Intake
Cross-Site Scripting in SPIP Private Area Before

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: VulnCheck

Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
N/A
NVD
CVE-2025-71249
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
spip spip to 4.4.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects SPIP versions before 4.4.9 and involves Cross-Site Scripting (XSS) in the private area of the application. It is due to the echappe_anti_xss() function not being systematically applied to certain HTML tags such as input, form, button, and anchor (a) tags. This incomplete application allows an attacker to inject malicious scripts through these elements, bypassing the intended security measures.

Impact Analysis

The vulnerability allows attackers to inject malicious scripts into the private area of SPIP, which can lead to unauthorized actions performed on behalf of legitimate users. This can result in data theft, session hijacking, or manipulation of the application’s behavior, potentially compromising the security and integrity of the affected system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart