CVE-2026-27634

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08	Patch
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq	Exploit Vendor Advisory
https://piwigo.org/release-16.3.0	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*

History

09 Apr 2026, 21:14

Type	Values Removed	Values Added
References	~~() https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08 -~~	() https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08 - Patch
References	~~() https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq -~~	() https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq - Exploit, Vendor Advisory
References	~~() https://piwigo.org/release-16.3.0 -~~	() https://piwigo.org/release-16.3.0 - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Piwigo Piwigo piwigo
CPE		cpe:2.3:a:piwigo:piwigo::::::::

03 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-03 22:16

Updated : 2026-04-09 21:14

NVD link : CVE-2026-27634

Mitre link : CVE-2026-27634

CVE.ORG link : CVE-2026-27634

JSON object : View

Products Affected

piwigo

piwigo

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-27634", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-03T22:16:25.720", "references": [{"url": "https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://piwigo.org/release-16.3.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0."}], "lastModified": "2026-04-09T21:14:23.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3502BA46-5475-47BC-BA8F-F9456A836F1A", "versionEndExcluding": "16.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}