Piwigo

Piwigo

103 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.2

CVE-2026-27885

Exploit
  • EPSS 0.04%
  • Veröffentlicht 03.04.2026 21:36:07
  • Zuletzt bearbeitet 09.04.2026 21:15:10

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extr...

7.2

CVE-2026-27834

Exploit
  • EPSS 0.04%
  • Veröffentlicht 03.04.2026 21:35:13
  • Zuletzt bearbeitet 09.04.2026 21:15:01

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without prop...

7.5

CVE-2026-27833

Exploit
  • EPSS 0.05%
  • Veröffentlicht 03.04.2026 21:34:11
  • Zuletzt bearbeitet 09.04.2026 21:14:48

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of al...

9.8

CVE-2026-27634

Exploit
  • EPSS 0.08%
  • Veröffentlicht 03.04.2026 21:33:13
  • Zuletzt bearbeitet 09.04.2026 21:14:23

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenate...

5.3

CVE-2025-62512

Exploit
  • EPSS 2.01%
  • Veröffentlicht 24.02.2026 16:43:28
  • Zuletzt bearbeitet 25.02.2026 16:53:02

Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address e...

7.5

CVE-2024-48928

  • EPSS 0.05%
  • Veröffentlicht 24.02.2026 16:39:56
  • Zuletzt bearbeitet 25.02.2026 16:53:44

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible...

8.8

CVE-2025-62406

Exploit
  • EPSS 0.08%
  • Veröffentlicht 18.11.2025 22:18:45
  • Zuletzt bearbeitet 25.11.2025 18:39:37

Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to cons...

6.4

CVE-2024-43018

Exploit
  • EPSS 0.03%
  • Veröffentlicht 29.07.2025 00:00:00
  • Zuletzt bearbeitet 06.08.2025 16:24:27

Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at...

5.4

CVE-2024-52701

Exploit
  • EPSS 0.91%
  • Veröffentlicht 20.11.2024 21:15:08
  • Zuletzt bearbeitet 22.05.2025 17:28:18

A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter.

8.8

CVE-2024-48311

Exploit
  • EPSS 0.13%
  • Veröffentlicht 31.10.2024 02:15:04
  • Zuletzt bearbeitet 22.05.2025 17:26:02

Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.