Unrated severityNVD Advisory· Published Feb 19, 2026· Updated Mar 5, 2026
SPIP < 4.3.6 Cross-Site Scripting in Private Area
CVE-2025-71241
Description
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.htmlmitrevendor-advisorypatch
- www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-areamitrethird-party-advisory
News mentions
0No linked articles in our index yet.