CVE-2025-71243

CRITICAL EXPLOITED NUCLEI LAB

SPIP Saisies 5.4.0-5.11.0 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-71243 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Chocapikk, OpenStudio, including a Metasploit module exploits/multi/http/spip_saisies_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-71243, an unauthenticated Remote Code Execution (RCE) vulnerability in the SPIP Saisies plugin. The exploit leverages improper input sanitization in the `_anciennes_valeurs` parameter to inject PHP code into a template rendered with `interdire_scripts=false`.

Description

The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.

Exploits (2)

nomisec WORKING POC 1 stars
by Chocapikk · remote-auth
https://github.com/Chocapikk/CVE-2025-71243

This repository contains a functional exploit for CVE-2025-71243, an unauthenticated Remote Code Execution (RCE) vulnerability in the SPIP Saisies plugin. The exploit leverages improper input sanitization in the `_anciennes_valeurs` parameter to inject PHP code into a template rendered with `interdire_scripts=false`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP Saisies plugin versions 5.4.0 through 5.11.0
No auth needed
Prerequisites: A publicly accessible form powered by the Saisies plugin (commonly via the Formidable plugin)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by OpenStudio · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spip_saisies_rce.rb

This Metasploit module exploits an unauthenticated PHP code injection vulnerability in the SPIP Saisies plugin (CVE-2025-71243) by injecting malicious PHP code via the '_anciennes_valeurs' form parameter, which is rendered unsanitized in a hidden field with 'interdire_scripts=false'.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP Saisies plugin versions 5.4.0 through 5.11.0
No auth needed
Prerequisites: A publicly accessible page containing a saisies-powered form, typically created with the Formidable plugin.
devstral-2 · analyzed Mar 09, 2026 Full analysis →

Nuclei Templates (1)

SPIP Saisies - Remote Code Execution
CRITICALVERIFIEDby omarkurt
Shodan: http.html:"SPIP"
FOFA: app="SPIP"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.8541
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull spip:4.3-apache

Details

VulnCheck KEV 2026-04-09
CWE
CWE-94
Status published
Products (1)
spip/saisies 5.4.0 - 5.11.1
Published Feb 19, 2026
Tracked Since Feb 19, 2026