VYPR

Vendor CVEs

Piwigo

All CVEs

107 total · sorted by risk
  • CVE-2017-10682CriJun 29, 2017
    risk 0.67cvss 9.8epss 0.08

    SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.

  • CVE-2017-9426CriFeb 26, 2018
    risk 0.64cvss 9.8epss 0.03

    ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection via the imageId parameter in a facetag.changeTag or facetag.listTags action.

  • CVE-2026-27634CriApr 3, 2026
    risk 0.57cvss 9.8epss 0.01

    Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without…

  • CVE-2017-17827HigDec 21, 2017
    risk 0.57cvss 8.8epss 0.01

    Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.

  • CVE-2017-17774HigDec 20, 2017
    risk 0.57cvss 8.8epss 0.01

    admin/configuration.php in Piwigo 2.9.2 has CSRF.

  • CVE-2017-10681HigJun 29, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.

  • CVE-2017-10680HigJun 29, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.

  • CVE-2017-10678HigJun 29, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.

  • CVE-2016-10105CriJan 3, 2017
    risk 0.57cvss 9.8epss 0.02

    admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.

  • CVE-2017-10679HigJun 29, 2017
    risk 0.49cvss 7.5epss 0.02

    Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.

  • CVE-2014-4613MedMar 16, 2018
    risk 0.46cvss 6.5epss 0.03

    Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.

  • CVE-2026-27833HigApr 3, 2026
    risk 0.42cvss 7.5epss 0.02

    Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This…

  • CVE-2017-16893MedDec 1, 2017
    risk 0.42cvss 6.5epss 0.01

    The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database.…

  • CVE-2017-9463MedJun 14, 2017
    risk 0.42cvss 6.5epss 0.02

    The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The…

  • CVE-2026-27885HigApr 3, 2026
    risk 0.40cvss 7.2epss 0.00

    Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the…

  • CVE-2026-27834HigApr 3, 2026
    risk 0.40cvss 7.2epss 0.00

    Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing…

  • CVE-2017-9425MedFeb 26, 2018
    risk 0.40cvss 6.1epss 0.01

    The Facetag extension 0.0.3 for Piwigo allows XSS via the name parameter to ws.php in a facetag.changeTag action.

  • CVE-2018-5692MedJan 14, 2018
    risk 0.40cvss 6.1epss 0.01

    Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.

  • CVE-2017-17826MedDec 21, 2017
    risk 0.40cvss 6.1epss 0.01

    The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.

  • CVE-2017-17775MedDec 20, 2017
    risk 0.40cvss 6.1epss 0.01

    Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.

  • CVE-2017-9464MedJun 14, 2017
    risk 0.40cvss 6.1epss 0.01

    An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not…

  • CVE-2017-5608MedJan 28, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.

  • CVE-2016-10085HigDec 30, 2016
    risk 0.40cvss 7.2epss 0.02

    admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.

  • CVE-2016-10084HigDec 30, 2016
    risk 0.40cvss 7.2epss 0.02

    admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).

  • CVE-2016-9751MedDec 1, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.

  • CVE-2018-7724MedMar 6, 2018
    risk 0.35cvss 5.4epss 0.00

    The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.

  • CVE-2018-7723MedMar 6, 2018
    risk 0.35cvss 5.4epss 0.01

    The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.

  • CVE-2018-7722MedMar 6, 2018
    risk 0.35cvss 5.4epss 0.01

    The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.

  • CVE-2016-10514MedOct 10, 2017
    risk 0.35cvss 6.5epss 0.01

    url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.

  • CVE-2016-10513MedOct 10, 2017
    risk 0.33cvss 6.1epss 0.01

    Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.

  • CVE-2016-10083MedDec 30, 2016
    risk 0.33cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.

  • CVE-2018-6883MedFeb 24, 2018
    risk 0.32cvss 4.9epss 0.01

    Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.

  • CVE-2017-17824MedDec 21, 2017
    risk 0.32cvss 4.9epss 0.01

    The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.

  • CVE-2017-17823MedDec 21, 2017
    risk 0.32cvss 4.9epss 0.01

    The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.

  • CVE-2017-17822MedDec 21, 2017
    risk 0.32cvss 4.9epss 0.01

    The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.

  • CVE-2017-17825MedDec 21, 2017
    risk 0.31cvss 4.8epss 0.01

    The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.

  • CVE-2017-9836MedJun 24, 2017
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).

  • CVE-2017-9452MedJun 6, 2017
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.

  • CVE-2023-26876Apr 21, 2023
    risk 0.07cvss epss 0.10

    SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.

  • CVE-2013-1469Mar 13, 2013
    risk 0.07cvss epss 0.56

    Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.

  • CVE-2012-2208Aug 14, 2012
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.

  • CVE-2023-33362May 23, 2023
    risk 0.03cvss epss 0.09

    Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

  • CVE-2021-27973Apr 2, 2021
    risk 0.03cvss epss 0.11

    SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.

  • CVE-2020-9467Mar 26, 2020
    risk 0.03cvss epss 0.24

    Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.

  • CVE-2014-9115Dec 23, 2014
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper…

  • CVE-2013-1468Mar 14, 2013
    risk 0.03cvss epss 0.06

    Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.

  • CVE-2012-2209Aug 14, 2012
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme…

  • CVE-2025-62512Feb 24, 2026
    risk 0.00cvss epss 0.01

    Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The…

  • CVE-2024-48928Feb 24, 2026
    risk 0.00cvss epss 0.00

    Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret…

  • CVE-2025-62406Nov 18, 2025
    risk 0.00cvss epss 0.00

    Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from…

Page 1 of 3