CVE-2025-71241

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-71241
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71241.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-71241
Downstream
Published
2026-02-19T16:27:11.903Z
Modified
2026-02-26T01:23:44.479403Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.

References

Affected packages

Git / git.spip.net/spip/spip

Affected ranges

Type
GIT
Repo
https://git.spip.net/spip/spip
Events
Introduced
a797bb7a425631b6a7c1bcfcc3ce939823e4d152
Fixed
7c22229944e955c98ed46be2e4c0d55612c4d599
Introduced
d018791680e65c1415b84efdfb89f6c96ba8c34a
Fixed
a268e0e00d24dce35c5df4070721e69312621a4a
Introduced
ecac31e4c3c28ad0d7969b2f44c4e3b6711b0dfc
Fixed
dbaedf8278c270b0627a86769e1c5dea04062625

Affected versions

v4.*
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71241.json"