Shodan
Vulnerabilities
Vulnerable Software
Piwigo:  >> Piwigo  >> 16.0.0  Security Vulnerabilities
CVE-2026-27834
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
CVSS Score
7.2
EPSS Score
0.0
Published
2026-04-03
CVE-2026-27885
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.
CVSS Score
7.2
EPSS Score
0.0
Published
2026-04-03
CVE-2026-27634
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
CVSS Score
8.7
EPSS Score
0.0
Published
2026-04-03
CVE-2026-27833
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-04-03
CVE-2024-26450
An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener.
CVSS Score
5.4
EPSS Score
0.005
Published
2024-02-28


Products
Pricing
Contact Us

Shodan ® - All rights reserved