Critical severity9.8NVD Advisory· Published Apr 3, 2026· Updated Apr 9, 2026
CVE-2026-27634
CVE-2026-27634
Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08nvdPatch
- github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghqnvdExploitVendor Advisory
- piwigo.org/release-16.3.0nvdRelease Notes
News mentions
0No linked articles in our index yet.