CVE-2025-71244 MEDIUM

CVE-2025-71244: SPIP < 4.4.5 Open Redirect via Login Form

Vendor Spip
Product SPIP
Weakness CWE-601 · Open redirect
Published February 19, 2026
Last update March 5, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
March 5, 2026 Record updated