CVE-2026-27834

EUVD-2026-18872
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
piwigopiwigo
𝑥
< 16.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2
https://piwigo.org/release-16.3.0
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2