CVE-2025-71244 PUBLISHED

SPIP < 4.4.5 Open Redirect via Login Form

Assigner: VulnCheck
Reserved: 19.02.2026 Published: 19.02.2026 Updated: 19.02.2026

SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.1

Product Status

Vendor SPIP
Product SPIP
Versions Default: unaffected
  • affected from 4.3.0 to 4.3.9 (excl.)
  • affected from 4.4.0 to 4.4.5 (excl.)

Credits

  • SPIP security team finder

References

Problem Types

  • URL Redirection to Untrusted Site ('Open Redirect') CWE