CVE-2026-22205 — Authentication Bypass Using an Alternate Path or Channel in Spip

CWE-288 — Authentication Bypass Using an Alternate Path or Channel5 documents5 sources

Severity

8.7HIGHNVD

EPSS

0.4%

top 40.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedFeb 26

Description

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDspip/spip< 4.4.10

▶debiandebian/spip< spip 4.4.10+dfsg-1 (forky)

▶Debianspip/spip< 4.4.11+dfsg-0+deb13u1+1

🔴Vulnerability Details

GHSA

GHSA-gxmj-pr3w-6wmh: SPIP versions prior to 4↗2026-02-26

▶

OSV

CVE-2026-22205: SPIP versions prior to 4↗2026-02-26

▶

📋Vendor Advisories

Debian

CVE-2026-22205: spip - SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability cau...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22205 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶