Description
SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
Published: 2026-02-19
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
Title SPIP < 4.2.15 Cross-Site Scripting via Code Tags
First Time appeared Spip
Spip spip
Weaknesses CWE-79
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip
Spip spip
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Spip Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:29:56.654Z

Reserved: 2026-02-19T03:00:22.781Z

Link: CVE-2025-71240

cve-icon Vulnrichment

Updated: 2026-02-19T20:22:07.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T16:27:11.690

Modified: 2026-02-24T18:53:21.910

Link: CVE-2025-71240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-02-20T10:06:40Z

Weaknesses