CVE-2025-71242 Security Details

CVE ID

CVE-2025-71242

CWE

CWE-285

CVE Description

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.

Published

Feb 23, 2026

CVSS Score & Severity

6.5Medium

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.034%

Malware

malware

KEV Status

Not in KEV Catalog: No known exploits

Affected Ecosystems

affected

Source

National Vulnerability Database

References

https://www.vulncheck.com/advisories/spip-authorization-bypass-leading-to-content-disclosureTHIRD_PARTY