Main Vulnerability Database Vulnerabilities #VU127938

Cross-site scripting in Piwigo - #VU127938

Published: March 1, 2024 / Updated: April 26, 2026

Vulnerability identifier: #VU127938

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Piwigo

Software vendor:
Piwigo.org

Description

The vulnerability allows a remote user to execute arbitrary scripts in the browsers of users who access the tag page.

The vulnerability exists due to cross-site scripting in the Tags page of the administrator screen when handling tag names added through the pwg.tags.add method. A remote user can add a crafted tag to execute arbitrary scripts in the browsers of users who access the tag page.

Exploitation requires access to the administrator screen with permission to access "Photos" and add tags.

Remediation

Install security update from vendor's website.

External links

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-7379-w44f-mfw4

Cross-site scripting in Piwigo - #VU127938

Description

Remediation

External links

Please verify you're human