CVE-2026-22205 HIGH

CVE-2026-22205: SPIP < 4.4.10 Authentication Bypass via PHP Type Juggling

Vendor Spip

Product SPIP

Weakness CWE-288

Published February 26, 2026

Last update May 25, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.

Key dates

Disclosure timeline

February 26, 2026 CVE published

May 25, 2026 Record updated