CVE-2025-71242 PUBLISHED

SPIP < 4.3.6 Authorization Bypass Leading to Content Disclosure

Assigner: VulnCheck
Reserved: 19.02.2026 Published: 19.02.2026 Updated: 19.02.2026

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor SPIP
Product SPIP
Versions Default: unaffected
  • affected from 4.1.0 to 4.1.20 (excl.)
  • affected from 4.2.0 to 4.2.17 (excl.)
  • affected from 4.3.0 to 4.3.6 (excl.)

Credits

  • SPIP security team finder

References