CVE-2026-22205
HIGHSPIP < 4.4.10 - Unauthenticated Authentication Bypass via PHP Type Juggling
Title source: llmDescription
SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.
References (3)
Core 3
Core References
Various Sources product
https://git.spip.net/spip/spip
Various Sources vendor-advisory
patch
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
Third Party Advisory related
https://www.vulncheck.com/advisories/spip-sql-injection-rce-via-union-php-tags
Scores
CVSS v3
7.5
EPSS
0.0047
EPSS Percentile
36.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-288
Status
published
Products (2)
spip/spip
< 4.4.10
SPIP/SPIP
< 4.4.10
Published
Feb 26, 2026
Tracked Since
Feb 27, 2026