VYPR

Spip

by Spip

Source repositories

CVEs (78)

  • CVE-2026-26345Feb 19, 2026
    risk 0.00cvss epss 0.00

    SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with…

  • CVE-2025-71244Feb 19, 2026
    risk 0.00cvss epss 0.00

    SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login…

  • CVE-2025-71242Feb 19, 2026
    risk 0.00cvss epss 0.00

    SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to…

  • CVE-2025-71241Feb 19, 2026
    risk 0.00cvss epss 0.00

    SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the…

  • CVE-2025-71240Feb 19, 2026
    risk 0.00cvss epss 0.00

    SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.

  • CVE-2024-53619Nov 26, 2024
    risk 0.00cvss epss 0.01

    An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.

  • CVE-2024-53620Nov 26, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Article module of SPIP v4.3.3 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.

  • CVE-2024-23659Jan 19, 2024
    risk 0.00cvss epss 0.00

    SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.

  • CVE-2023-52322Jan 4, 2024
    risk 0.00cvss epss 0.00

    ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.

  • CVE-2023-24258Feb 27, 2023
    risk 0.00cvss epss 0.02

    SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.

  • CVE-2022-37155Dec 13, 2022
    risk 0.00cvss epss 0.40

    RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.

  • CVE-2022-28961May 19, 2022
    risk 0.00cvss epss 0.02

    Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.

  • CVE-2022-28960May 19, 2022
    risk 0.00cvss epss 0.02

    A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.

  • CVE-2022-28959May 19, 2022
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2022-26846Mar 10, 2022
    risk 0.00cvss epss 0.03

    SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.

  • CVE-2022-26847Mar 10, 2022
    risk 0.00cvss epss 0.01

    SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.

  • CVE-2021-44123Jan 26, 2022
    risk 0.00cvss epss 0.02

    SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.

  • CVE-2021-44122Jan 26, 2022
    risk 0.00cvss epss 0.00

    SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is…

  • CVE-2021-44120Jan 26, 2022
    risk 0.00cvss epss 0.01

    SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes…

  • CVE-2021-44118Jan 26, 2022
    risk 0.00cvss epss 0.01

    SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by…