CVE-2026-27634

Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter

CVSS 8.7 HIGHEPSS 0.7%CWE-89

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.7EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

03 abr 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Productos afectados

Piwigo · Piwigo

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08 https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq https://piwigo.org/release-16.3.0