CVE-2023-53900

HIGH

Spip 4.1.10 - Stored Cross-Site Scripting via Malicious SVG Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53900. PoCs published by nu11secur1ty.

AI-analyzed exploit summary This exploit demonstrates a spoofing vulnerability in SPIP v4.1.10 where a malicious SVG file can be uploaded to trick an administrator into clicking a link. The SVG contains an embedded hyperlink that redirects to an external URL, leveraging improper file upload sanitization.

Description

Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.

Exploits (1)

exploitdb WORKING POC
by nu11secur1ty · textwebappsphp
https://www.exploit-db.com/exploits/51557

This exploit demonstrates a spoofing vulnerability in SPIP v4.1.10 where a malicious SVG file can be uploaded to trick an administrator into clicking a link. The SVG contains an embedded hyperlink that redirects to an external URL, leveraging improper file upload sanitization.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: SPIP v4.1.10
No auth needed
Prerequisites: Ability to upload files to the SPIP instance · Administrator interaction to click the malicious link
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0027
EPSS Percentile 17.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (2)
spip/spip 4.1.10
spip/spip 4.1.10
Published Dec 16, 2025
Tracked Since Feb 18, 2026