CVE-2025-71241
- EPSS 0.2%
- Veröffentlicht 19.02.2026 14:58:13
- Zuletzt bearbeitet 02.03.2026 15:16:31
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnera...
CVE-2025-71240
- EPSS 0.18%
- Veröffentlicht 19.02.2026 14:58:12
- Zuletzt bearbeitet 24.02.2026 18:53:21
SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
CVE-2023-53900
- EPSS 0.27%
- Veröffentlicht 16.12.2025 17:06:24
- Zuletzt bearbeitet 29.04.2026 01:00:01
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL throu...
CVE-2024-53620
- EPSS 0.36%
- Veröffentlicht 26.11.2024 19:15:31
- Zuletzt bearbeitet 03.07.2025 00:32:56
A cross-site scripting (XSS) vulnerability in the Article module of SPIP v4.3.3 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.
CVE-2024-53619
- EPSS 0.55%
- Veröffentlicht 26.11.2024 19:15:30
- Zuletzt bearbeitet 07.07.2025 17:54:54
An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.
CVE-2024-8517
- EPSS 94.62%
- Veröffentlicht 06.09.2024 16:15:03
- Zuletzt bearbeitet 25.09.2025 19:15:42
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
CVE-2024-7954
- EPSS 89.95%
- Veröffentlicht 23.08.2024 18:15:07
- Zuletzt bearbeitet 15.04.2026 00:35:42
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
CVE-2024-23659
- EPSS 0.44%
- Veröffentlicht 19.01.2024 05:15:09
- Zuletzt bearbeitet 02.06.2025 15:15:32
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.
CVE-2023-52322
- EPSS 0.44%
- Veröffentlicht 04.01.2024 07:15:09
- Zuletzt bearbeitet 03.06.2025 15:15:49
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.
CVE-2023-27372
- EPSS 99.64%
- Veröffentlicht 28.02.2023 20:15:10
- Zuletzt bearbeitet 11.03.2025 15:15:38
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.