CVE-2025-71243
Published Feb 19, 2026
Last updated 3 months ago
AI description
CVE-2025-71243 describes a Remote Code Execution (RCE) vulnerability found in the 'Saisies pour formulaire' plugin for SPIP. This flaw impacts versions 5.4.0 through 5.11.0 of the plugin. The vulnerability allows an attacker to execute arbitrary code on the affected server. This is due to improper control over code generation within the plugin, which enables the injection of malicious code. Exploitation of this vulnerability does not require authentication or user interaction. To mitigate this issue, users are advised to update the 'Saisies pour formulaire' plugin to version 5.11.1 or later.
- Description
- The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
- Source
- disclosure@vulncheck.com
- NVD status
- Analyzed
- Products
- saisies
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- disclosure@vulncheck.com
- CWE-94
- Hype score
- Not currently trending
π #CyberSecurity Defending Against CVE-2025-71243 and Emerging Linux Evasion Techniques "In the cybersecurity landscape, tools used by penetration testers often provideβ¦" π https://t.co/C9hOZNJOGs #CyberSecurity #ThreatIntel #penetrationtesting #redteam #offensivesecu
@SecurityAr58409
15 Apr 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
No bad luck here! π The Metasploit weekly wrapup is live with 3 new modules: LeakIX Search, Linux RC4 payload packer, and an unauthenticated RCE for SPIP Saisies (CVE-2025-71243). Plus, check out Metasploit Pro 5.0.0! Read the full details: https://t.co/TxoVyZhSiU #Metasploit
@metasploit
13 Mar 2026
2467 Impressions
6 Retweets
24 Likes
7 Bookmarks
0 Replies
0 Quotes
π¨ CVE-2025-71243 - critical π¨ SPIP Saisies - Remote Code Execution > SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by a... πΎ https://t.co/IWVajUjb0F @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
11 Mar 2026
217 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
After reversing CVE-2025-71243 in SPIP's Saisies plugin, I audited other SPIP plugins for the same template injection pattern. Found 5 more vulnerabilities across 4 plugins - same eval() chain, different entry points. Low-adoption plugins, but the patterns are worth documenting.
@Chocapikk_
25 Feb 2026
1596 Impressions
5 Retweets
21 Likes
8 Bookmarks
0 Replies
0 Quotes
CVE-2025-71243 Remote Code Execution Vulnerability in SPIP Saisies Plugin 5.4.0-5.11.0 https://t.co/WVDrZtHrfp
@VulmonFeeds
19 Feb 2026
47 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-71243 - SPIP Saisies Plugin RCE Advisory dropped today, PoC ready 30 minutes later. Full AI-assisted reversal from patch diff to confirmed RCE. Same exploitation pattern as CVE-2023-27372 - unsanitized input into SPIP's template engine with interdire_scripts=false. Two
@Chocapikk_
19 Feb 2026
1621 Impressions
4 Retweets
21 Likes
3 Bookmarks
2 Replies
0 Quotes
CVE-2025-71243 - SPIP Saisies Plugin RCE Advisory dropped today, PoC ready 30 minutes later. Full AI-assisted reversal from patch diff to confirmed RCE. Same exploitation pattern as CVE-2023-27372 - unsanitized input into SPIP's template engine with interdire_scripts=false. Two
@Chocapikk_
19 Feb 2026
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-71243 - SPIP Saisies Plugin RCE Advisory dropped today, PoC ready 30 minutes later. Full AI-assisted reversal from patch diff to confirmed RCE. Same exploitation pattern as CVE-2023-27372 - unsanitized input into SPIP's template engine with interdire_scripts=false. Two
@Chocapikk_
19 Feb 2026
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π΄ CVE-2025-71243 - Critical The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerabi... https://t.co/mpwZ2WXI0H https://t.co/hDv5Eay78p
@TheHackerWire
19 Feb 2026
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:spip:saisies:*:*:*:*:*:spip:*:*",
"matchCriteriaId": "A0CC0626-A012-4C8C-971A-C880F5EBDAA6",
"versionEndExcluding": "5.11.1",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]