HIGHCVE-2026-27634Published 2026-04-03Modified 2026-04-06CNA GitHub_M

CVE-2026-27634: Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Piwigo / Piwigo
< 16.3.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq
https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08
https://piwigo.org/release-16.3.0

Metrics