Main Vulnerability Database SB2026042602

SB2026042602 - Insufficient Entropy in Piwigo

Published: April 26, 2026

Security Bulletin ID SB2026042602

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient Entropy (CVE-ID: CVE-2024-48928)

CWE-ID: CWE-331 - Insufficient Entropy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to generate valid ephemeral keys.

The vulnerability exists due to insufficient entropy in secret_key generation in the installation configuration process when initializing the secret_key value with MD5(RAND()) in MySQL. A remote attacker can brute-force the secret key and verify guesses using the CSRF token construction to generate valid ephemeral keys.

Trying all possible values takes approximately one hour.

Remediation

Install update from vendor's website.

References

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-hghg-37rg-7r42