Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-22205

created 1 month, 3 weeks ago

SPIP < 4.4.10 Authentication Bypass via PHP Type Juggling

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal data.

References

https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html patchvendor-advisory
https://git.spip.net/spip/spip product
https://www.vulncheck.com/advisories/spip-sql-injection-rce-via-union-php-tags third-party-advisory

Affected products

SPIP

<4.4.10

Matching in nixpkgs

pkgs.spip

A random forest model for splice prediction in genomics

nixos-unstable 0-unstable-2023-04-19
- nixpkgs-unstable 0-unstable-2023-04-19
- nixos-unstable-small 0-unstable-2023-04-19
nixos-25.11 0-unstable-2023-04-19
- nixos-25.11-small 0-unstable-2023-04-19
- nixpkgs-25.11-darwin 0-unstable-2023-04-19

pkgs.spiped

Utility for secure encrypted channels between sockets

nixos-unstable 1.6.4
- nixpkgs-unstable 1.6.4
- nixos-unstable-small 1.6.4
nixos-25.11 1.6.4
- nixos-25.11-small 1.6.4
- nixpkgs-25.11-darwin 1.6.4

pkgs.aespipe

AES encrypting or decrypting pipe

nixos-unstable 2.4j
- nixpkgs-unstable 2.4j
- nixos-unstable-small 2.4j
nixos-25.11 2.4j
- nixos-25.11-small 2.4j
- nixpkgs-25.11-darwin 2.4j

pkgs.lesspipe

Preprocessor for less

nixos-unstable 2.20
- nixpkgs-unstable 2.20
- nixos-unstable-small 2.20
nixos-25.11 2.20
- nixos-25.11-small 2.20
- nixpkgs-25.11-darwin 2.20

Package maintainers

@martijnvermaat Martijn Vermaat <martijn@vermaat.name>
@apraga Alexis Praga <alexis.praga@proton.me>
@thoughtpolice Austin Seipp <aseipp@pobox.com>