Piwigo ≫ Piwigo

A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.

piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.

In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.

Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.

SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.