Piwigo
by Piwigo
Source repositories
CVEs (107)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-2208 | 0.04 | — | 0.09 | Aug 14, 2012 | Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. | |||
| CVE-2023-33362 | 0.03 | — | 0.09 | May 23, 2023 | Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function. | |||
| CVE-2021-27973 | 0.03 | — | 0.11 | Apr 2, 2021 | SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages. | |||
| CVE-2020-9467 | 0.03 | — | 0.24 | Mar 26, 2020 | Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. | |||
| CVE-2014-9115 | 0.03 | — | 0.03 | Dec 23, 2014 | SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper… | |||
| CVE-2013-1468 | 0.03 | — | 0.06 | Mar 14, 2013 | Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors. | |||
| CVE-2012-2209 | 0.03 | — | 0.04 | Aug 14, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme… | |||
| CVE-2025-62512 | 0.00 | — | 0.01 | Feb 24, 2026 | Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The… | |||
| CVE-2024-48928 | 0.00 | — | 0.00 | Feb 24, 2026 | Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret… | |||
| CVE-2025-62406 | 0.00 | — | 0.00 | Nov 18, 2025 | Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from… | |||
| CVE-2024-43018 | 0.00 | — | 0.00 | Jul 29, 2025 | Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for… | |||
| CVE-2024-52701 | 0.00 | — | 0.00 | Nov 20, 2024 | A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter. | |||
| CVE-2024-48311 | 0.00 | — | 0.00 | Oct 31, 2024 | Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function. | |||
| CVE-2024-46605 | 0.00 | — | 0.00 | Oct 16, 2024 | A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | |||
| CVE-2024-46606 | 0.00 | — | 0.00 | Oct 16, 2024 | A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | |||
| CVE-2024-46333 | 0.00 | — | 0.00 | Sep 27, 2024 | An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function. | |||
| CVE-2024-28662 | 0.00 | — | 0.00 | Mar 13, 2024 | A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php. | |||
| CVE-2024-26450 | 0.00 | — | 0.00 | Feb 28, 2024 | An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing… | |||
| CVE-2023-51790 | 0.00 | — | 0.01 | Jan 12, 2024 | Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component. | |||
| CVE-2023-44393 | 0.00 | — | 0.01 | Oct 9, 2023 | Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject… |
- CVE-2012-2208Aug 14, 2012risk 0.04cvss —epss 0.09
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
- CVE-2023-33362May 23, 2023risk 0.03cvss —epss 0.09
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
- CVE-2021-27973Apr 2, 2021risk 0.03cvss —epss 0.11
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
- CVE-2020-9467Mar 26, 2020risk 0.03cvss —epss 0.24
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
- CVE-2014-9115Dec 23, 2014risk 0.03cvss —epss 0.03
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper…
- CVE-2013-1468Mar 14, 2013risk 0.03cvss —epss 0.06
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
- CVE-2012-2209Aug 14, 2012risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme…
- CVE-2025-62512Feb 24, 2026risk 0.00cvss —epss 0.01
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The…
- CVE-2024-48928Feb 24, 2026risk 0.00cvss —epss 0.00
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret…
- CVE-2025-62406Nov 18, 2025risk 0.00cvss —epss 0.00
Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from…
- CVE-2024-43018Jul 29, 2025risk 0.00cvss —epss 0.00
Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for…
- CVE-2024-52701Nov 20, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter.
- CVE-2024-48311Oct 31, 2024risk 0.00cvss —epss 0.00
Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.
- CVE-2024-46605Oct 16, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.
- CVE-2024-46606Oct 16, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.
- CVE-2024-46333Sep 27, 2024risk 0.00cvss —epss 0.00
An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function.
- CVE-2024-28662Mar 13, 2024risk 0.00cvss —epss 0.00
A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.
- CVE-2024-26450Feb 28, 2024risk 0.00cvss —epss 0.00
An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing…
- CVE-2023-51790Jan 12, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.
- CVE-2023-44393Oct 9, 2023risk 0.00cvss —epss 0.01
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject…
Page 3 of 6