Filtered by vendor Piwigo
Subscribe
Total
114 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-3790 | 1 Piwigo | 1 Piwigo | 2026-04-29 | 5.0 MEDIUM | N/A |
| Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files. | |||||
| CVE-2012-2208 | 1 Piwigo | 1 Piwigo | 2026-04-29 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. | |||||
| CVE-2012-2209 | 1 Piwigo | 1 Piwigo | 2026-04-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module. | |||||
| CVE-2010-1707 | 1 Piwigo | 1 Piwigo | 2026-04-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters. | |||||
| CVE-2013-1468 | 1 Piwigo | 1 Piwigo | 2026-04-29 | 7.6 HIGH | N/A |
| Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors. | |||||
| CVE-2013-1469 | 1 Piwigo | 1 Piwigo | 2026-04-29 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter. | |||||
| CVE-2009-4039 | 1 Piwigo | 1 Piwigo | 2026-04-23 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2009-2933 | 1 Piwigo | 1 Piwigo | 2026-04-23 | 7.5 HIGH | N/A |
| SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter. | |||||
| CVE-2026-27885 | 1 Piwigo | 1 Piwigo | 2026-04-09 | N/A | 7.2 HIGH |
| Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0. | |||||
| CVE-2026-27834 | 1 Piwigo | 1 Piwigo | 2026-04-09 | N/A | 7.2 HIGH |
| Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0. | |||||
| CVE-2026-27833 | 1 Piwigo | 1 Piwigo | 2026-04-09 | N/A | 7.5 HIGH |
| Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0. | |||||
| CVE-2026-27634 | 1 Piwigo | 1 Piwigo | 2026-04-09 | N/A | 9.8 CRITICAL |
| Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0. | |||||
| CVE-2024-48928 | 1 Piwigo | 1 Piwigo | 2026-02-25 | N/A | 7.5 HIGH |
| Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue. | |||||
| CVE-2025-62512 | 1 Piwigo | 1 Piwigo | 2026-02-25 | N/A | 5.3 MEDIUM |
| Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available. | |||||
| CVE-2025-62406 | 1 Piwigo | 1 Piwigo | 2025-11-25 | N/A | 8.1 HIGH |
| Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0. | |||||
| CVE-2024-43018 | 1 Piwigo | 1 Piwigo | 2025-08-06 | N/A | 6.4 MEDIUM |
| Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list. | |||||
| CVE-2023-51790 | 1 Piwigo | 1 Piwigo | 2025-06-17 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component. | |||||
| CVE-2024-46333 | 1 Piwigo | 1 Piwigo | 2025-05-27 | N/A | 4.8 MEDIUM |
| An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function. | |||||
| CVE-2024-28662 | 1 Piwigo | 1 Piwigo | 2025-05-23 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php. | |||||
| CVE-2024-52701 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter. | |||||