High severity7.2NVD Advisory· Published Apr 3, 2026· Updated Apr 9, 2026

CVE-2026-27885

Description

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.

Affected products

Piwigo/Piwigo
cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*
Range: <16.3.0

Patches

c172d284e11e

https://github.com/Piwigo/Piwigovia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/Piwigo/Piwigo/commit/c172d284e11eab4a5dbadd2844d26f734d5c8c72nvdPatch
github.com/Piwigo/Piwigo/security/advisories/GHSA-wfmr-9hg8-jh3mnvdExploitMitigationVendor Advisory
piwigo.org/release-16.3.0nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000