Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
Published: 2026-04-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated database read via SQL injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when four date filter parameters are concatenated directly into an SQL query without escaping or validation. This SQL injection flaw (CWE‑89) permits an unauthenticated user to retrieve the entire database, including user password hashes. The flaw exists in all releases prior to 16.3.0 and requires only access to the web interface that calls the vulnerable function.

Affected Systems

All installations of Piwigo running any release before 16.3.0 are affected. Versions 16.2.x and earlier are vulnerable. The issue was corrected in the 16.3.0 release and applies to every Piwigo distribution identified by the CNA.

Risk and Exploitability

The CVSS score indicates high severity (8.7). The EPSS score of less than 1% suggests that active exploitation is currently uncommon, yet the flaw is publicly known and not listed in the CISA KEV catalog, meaning no documented active attacks are reported yet. Based on the description, it is inferred that the attacker can trigger the flaw via a crafted HTTP request to the ws_std_image_sql_filter endpoint, supplying malicious values for the date filter parameters. Because authentication is not required and the endpoint is network exposed, exploitation can be attempted from any external position, resulting in full database disclosure.

Generated by OpenCVE AI on April 9, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Piwigo installation to version 16.3.0 or later to apply the SQL injection fix.
  • If an upgrade cannot be performed immediately, restrict external access to the ws_std_image_sql_filter endpoint by configuring firewall or web server rules to allow only trusted IP addresses.
  • Verify that the patch has been applied by checking the software version or reviewing the source code for the presence of the commit that added input sanitization.

Generated by OpenCVE AI on April 9, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Piwigo
Piwigo piwigo
Vendors & Products Piwigo
Piwigo piwigo

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
Title Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Piwigo Piwigo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T13:13:42.809Z

Reserved: 2026-02-20T22:02:30.028Z

Link: CVE-2026-27634

cve-icon Vulnrichment

Updated: 2026-04-06T13:13:38.241Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:25.720

Modified: 2026-04-09T21:14:23.150

Link: CVE-2026-27634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:39Z

Weaknesses