VYPR
Unrated severityNVD Advisory· Published Feb 19, 2026· Updated Mar 5, 2026

SPIP < 4.3.6 Cross-Site Scripting in Private Area

CVE-2025-71241

Description

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Spip/Spipllm-fuzzy2 versions
    <4.3.6, <4.2.17, <4.1.20+ 1 more
    • (no CPE)range: <4.3.6, <4.2.17, <4.1.20
    • (no CPE)range: 4.1.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.