CVE-2025-71248 - Vulnerability Details

SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SPIP

unaffected

Version	Status	Constraints
`4.4.0`	affected	< 4.4.9

No data.

Project Subscriptions

Vendors	Products
Spip Subscribe	Spip Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html
https://git.spip.net/spip/spip
https://www.vulncheck.com/advisories/spip-stored-cross-site-scripting-via-syndicated-sites

History

Thu, 19 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
Title		SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites
First Time appeared		Spip Spip spip
Weaknesses		CWE-79
CPEs		cpe:2.3:a:spip:spip::::::::
Vendors & Products		Spip Spip spip
References		https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html https://git.spip.net/spip/spip https://www.vulncheck.com/advisories/spip-stored-cross-site-scripting-via-syndicated-sites
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-02-19T14:58:19.289Z

Updated: 2026-02-19T14:58:19.289Z

Reserved: 2026-02-19T03:00:22.783Z

Link: CVE-2025-71248

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-19T16:27:13.083

Modified: 2026-02-19T16:27:13.083

Link: CVE-2025-71248

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object