Description
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers can send GET requests to photo.php with malicious photo_id values to extract sensitive data, bypass authentication, or modify database contents.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise
Action: Immediate Patch
AI Analysis

Impact

A web application in Xooscripts XooGallery is affected by multiple SQL injection points in photo.php. The flaw allows an attacker to control the SQL query executed against the database by supply a malicious photo_id value in a GET request. This can lead to sensitive data extraction, authentication bypass, or unauthorized modification of database contents. The weakness is classified as CWE-89, reflecting improper handling of external input in SQL statements.

Affected Systems

The vulnerability resides in Xooscripts XooGallery, specifically in the current or latest releases that have not been patched. No explicit version range is provided, so any installation of XooGallery that includes the original photo.php code is potentially vulnerable unless a later fix has been applied.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a remote attacker to craft a GET request to photo.php with a malicious photo_id value, which means the attack vector is likely the web application interface. Given the high impact potential and the need for authentication bypass, the risk to affected systems remains significant until mitigated.

Generated by OpenCVE AI on March 23, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor update that patches the SQL injection flaw in photo.php.
  • Enforce authentication before allowing access to photo.php, ensuring only authorized users can invoke photo_id queries.
  • Implement input validation or parameterized queries to prevent arbitrary SQL execution.
  • Limit the database privileges granted to the web application to read‑only where feasible.
  • Deploy a web application firewall that detects and blocks suspicious GET requests targeting photo_id parameters.

Generated by OpenCVE AI on March 23, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xooscripts:xoogallery:-:*:*:*:*:*:*:*

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xooscripts
Xooscripts xoogallery
Vendors & Products Xooscripts
Xooscripts xoogallery

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers can send GET requests to photo.php with malicious photo_id values to extract sensitive data, bypass authentication, or modify database contents.
Title XooGallery Lastest Latest Multiple SQL Injections via photo.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xooscripts Xoogallery
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:43:33.557Z

Reserved: 2026-03-12T13:55:08.505Z

Link: CVE-2019-25522

cve-icon Vulnrichment

Updated: 2026-03-12T16:43:29.588Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:05.330

Modified: 2026-03-23T13:43:25.977

Link: CVE-2019-25522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:50Z

Weaknesses