Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed

Permalink CVE-2026-22205

updated 3 weeks, 3 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 4 days ago
@LeSuisse removed
4 packages
- spip
- spiped
- aespipe
- lesspipe
3 weeks, 3 days ago
@LeSuisse dismissed 3 weeks, 3 days ago

SPIP < 4.4.10 Authentication Bypass via PHP Type Juggling

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html vendor-advisory patch
https://git.spip.net/spip/spip product
https://www.vulncheck.com/advisories/spip-sql-injection-rce-via-union-php-tags third-party-advisory

Affected products

SPIP

<4.4.10

Ignored packages (4)

pkgs.spip

A random forest model for splice prediction in genomics

nixos-unstable 0-unstable-2023-04-19
- nixpkgs-unstable 0-unstable-2023-04-19
- nixos-unstable-small 0-unstable-2023-04-19
nixos-25.11 0-unstable-2023-04-19
- nixos-25.11-small 0-unstable-2023-04-19
- nixpkgs-25.11-darwin 0-unstable-2023-04-19

pkgs.spiped

Utility for secure encrypted channels between sockets

nixos-unstable 1.6.4
- nixpkgs-unstable 1.6.4
- nixos-unstable-small 1.6.4
nixos-25.11 1.6.4
- nixos-25.11-small 1.6.4
- nixpkgs-25.11-darwin 1.6.4

pkgs.aespipe

AES encrypting or decrypting pipe

nixos-unstable 2.4j
- nixpkgs-unstable 2.4j
- nixos-unstable-small 2.4j
nixos-25.11 2.4j
- nixos-25.11-small 2.4j
- nixpkgs-25.11-darwin 2.4j

pkgs.lesspipe

Preprocessor for less

nixos-unstable 2.20
- nixpkgs-unstable 2.20
- nixos-unstable-small 2.20
nixos-25.11 2.20
- nixos-25.11-small 2.20
- nixpkgs-25.11-darwin 2.20

Not present in nixpkgs