SB2026042604 - Multiple vulnerabilities in Piwigo

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042604

SB2026042604 - Multiple vulnerabilities in Piwigo

Published: April 26, 2026

Security Bulletin ID SB2026042604
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) SQL injection (CVE-ID: CVE-2026-27834)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the ws_users_getList() function in include/ws_functions/pwg.users.php when processing the filter parameter in the pwg.users.getList Web Service API method. A remote privileged user can send a specially crafted API request to execute arbitrary SQL commands.

The issue affects the filter parameter of the pwg.users.getList API method.


2) SQL injection (CVE-ID: CVE-2026-27885)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the Activity List API endpoint when handling the id parameter in requests to /ws.php?format=json&method=pwg.activity.getList. A remote privileged user can send a specially crafted request to disclose sensitive information.

The issue is error-based and can expose database contents including user credentials, email addresses, and stored content.


3) SQL injection (CVE-ID: CVE-2026-27634)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to SQL injection in ws_std_image_sql_filter() in include/ws_functions.inc.php when processing date filter parameters in guest-accessible API requests. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue affects the f_min_date_available, f_max_date_available, f_min_date_created, and f_max_date_created parameters, and exploitation is possible through the pwg.categories.getImages and pwg.tags.getImages methods when guest access is enabled, which is the default configuration.


Remediation

Install update from vendor's website.

References