Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
SPIP Login Page Can Redirect Users to Malicious Sites
CVE-2025-71244
Summary
If you use SPIP in AJAX mode, a hacker could trick your users into visiting a fake login page that sends them to a different website. This only affects sites that have customized their login page to work in AJAX mode. To fix this, update SPIP to version 4.4.5 or 4.3.9.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| spip | spip | > 4.3.0 , <= 4.3.9 | – |
| spip | spip | > 4.4.0 , <= 4.4.5 | – |
Original title
SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary e...
Original description
SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-601
Open Redirect
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-5.html Broken Link
- https://git.spip.net/spip/spip Product
- https://www.vulncheck.com/advisories/spip-open-redirect-via-login-form Third Party Advisory
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026