VYPR

Vendor CVEs

Piwigo

All CVEs

107 total · sorted by risk
  • CVE-2024-43018Jul 29, 2025
    risk 0.00cvss epss 0.00

    Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for…

  • CVE-2024-52701Nov 20, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter.

  • CVE-2024-48311Oct 31, 2024
    risk 0.00cvss epss 0.00

    Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.

  • CVE-2024-46605Oct 16, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.

  • CVE-2024-46606Oct 16, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.

  • CVE-2024-46333Sep 27, 2024
    risk 0.00cvss epss 0.00

    An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function.

  • CVE-2024-28662Mar 13, 2024
    risk 0.00cvss epss 0.00

    A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.

  • CVE-2024-26450Feb 28, 2024
    risk 0.00cvss epss 0.00

    An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing…

  • CVE-2023-51790Jan 12, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.

  • CVE-2023-44393Oct 9, 2023
    risk 0.00cvss epss 0.01

    Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject…

  • CVE-2023-37270Jul 7, 2023
    risk 0.00cvss epss 0.04

    Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when…

  • CVE-2023-34626Jun 15, 2023
    risk 0.00cvss epss 0.01

    Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.

  • CVE-2023-33359May 23, 2023
    risk 0.00cvss epss 0.00

    Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.

  • CVE-2023-33361May 23, 2023
    risk 0.00cvss epss 0.01

    Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.

  • CVE-2023-27233May 17, 2023
    risk 0.00cvss epss 0.01

    Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.

  • CVE-2022-48007Jan 27, 2023
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.

  • CVE-2014-125053Jan 6, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Piwigo-Guest-Book up to 1.3.0. It has been declared as critical. This vulnerability affects unknown code of the file include/guestbook.inc.php of the component Navigation Bar. The manipulation of the argument start leads to sql injection. Upgrading…

  • CVE-2022-37183Aug 31, 2022
    risk 0.00cvss epss 0.01

    Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

  • CVE-2022-32297Jul 14, 2022
    risk 0.00cvss epss 0.01

    Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.

  • CVE-2021-40553Jun 28, 2022
    risk 0.00cvss epss 0.02

    piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.

  • CVE-2021-40678Jun 14, 2022
    risk 0.00cvss epss 0.00

    In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.

  • CVE-2021-40317May 26, 2022
    risk 0.00cvss epss 0.01

    Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.

  • CVE-2020-19217May 6, 2022
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.

  • CVE-2020-19216May 6, 2022
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.

  • CVE-2020-19215May 6, 2022
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.

  • CVE-2020-19213May 6, 2022
    risk 0.00cvss epss 0.16

    SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.

  • CVE-2020-19212May 6, 2022
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.

  • CVE-2022-26267Mar 18, 2022
    risk 0.00cvss epss 0.01

    Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.

  • CVE-2022-26266Mar 18, 2022
    risk 0.00cvss epss 0.01

    Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.

  • CVE-2022-24620Feb 23, 2022
    risk 0.00cvss epss 0.01

    Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.

  • CVE-2021-45357Feb 10, 2022
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.

  • CVE-2016-3735Jan 28, 2022
    risk 0.00cvss epss 0.01

    Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker…

  • CVE-2021-40882Dec 14, 2021
    risk 0.00cvss epss 0.01

    A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.

  • CVE-2021-40313Dec 6, 2021
    risk 0.00cvss epss 0.01

    Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.

  • CVE-2020-22150Jul 21, 2021
    risk 0.00cvss epss 0.01

    A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2020-22148Jul 21, 2021
    risk 0.00cvss epss 0.01

    A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2021-32615May 13, 2021
    risk 0.00cvss epss 0.02

    Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.

  • CVE-2021-31783Apr 26, 2021
    risk 0.00cvss epss 0.01

    show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check.

  • CVE-2014-8944Jun 1, 2020
    risk 0.00cvss epss 0.01

    Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.

  • CVE-2020-8089Feb 10, 2020
    risk 0.00cvss epss 0.01

    Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.

  • CVE-2012-4526Dec 2, 2019
    risk 0.00cvss epss 0.01

    piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)

  • CVE-2012-4525Dec 2, 2019
    risk 0.00cvss epss 0.01

    piwigo has XSS in password.php

  • CVE-2019-13364Sep 13, 2019
    risk 0.00cvss epss 0.01

    admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.

  • CVE-2019-13363Sep 13, 2019
    risk 0.00cvss epss 0.01

    admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit…

  • CVE-2015-2035Feb 20, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.

  • CVE-2015-2034Feb 20, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.

  • CVE-2015-1517Feb 20, 2015
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.

  • CVE-2015-1441Feb 3, 2015
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-3900Aug 17, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.

  • CVE-2014-1980Aug 14, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.