CVE-2025-71248 – SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites

CVE ID : CVE-2025-71248

Published : Feb. 19, 2026, 4:27 p.m. | 33 minutes ago

Description : SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…