Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.
Published: 2026-04-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Browsing History
Action: Apply Patch
AI Analysis

Impact

An omission in the configuration of the pwg.history.search API method allowed anyone who can reach the Piwigo web application to query and retrieve the complete browsing history of all users. The vulnerability permits the disclosure of potentially sensitive information such as recently viewed galleries and photos. The flaw is rooted in a missing administrative restriction (CWE‑862) and is therefore considered an information‑disclosure issue rather than an execution flaw. No direct code execution or privilege escalation is possible.

Affected Systems

The defect impacts the Piwigo photo gallery application. All versions from the earliest releases up to, but not including, 16.3.0 are affected. Administrators deploying these older releases should verify whether the pwg.history.search API is exposed and consider upgrading to a patched version. The product is hosted on web servers and is typically accessible via HTTPS or HTTP.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity rating. The EPSS score below 1 percent suggests that real‑world exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack surface is publicly reachable; an unauthenticated attacker can simply perform HTTP requests to the exposed API endpoint. As it only yields information, the impact is limited to confidentiality, but an attacker could use the knowledge of visitor history for social engineering or phishing. Prompt application of the 16.3.0 patch is recommended.

Generated by OpenCVE AI on April 9, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Determine your current Piwigo version by checking the administration interface or the version.php file.
  • Download the latest stable release, 16.3.0, from the official Piwigo website or GitHub repository.
  • Follow the upgrade instructions provided by Piwigo to replace the old installation with the new version.
  • After upgrading, confirm that the pwg.history.search API is no longer accessible to unauthenticated users (e.g., by attempting the API call and expecting a 403 or authentication prompt).
  • If an upgrade cannot be performed immediately, block external access to the API endpoint using web server configuration or firewall rules until the patch is applied.
  • Continuously monitor web server access logs for repeated attempts to request the pwg.history.search endpoint.

Generated by OpenCVE AI on April 9, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Piwigo
Piwigo piwigo
Vendors & Products Piwigo
Piwigo piwigo

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.
Title Piwigo: Unauthenticated Information Disclosure via pwg.history.search API
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Piwigo Piwigo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:55:09.077Z

Reserved: 2026-02-24T02:32:39.800Z

Link: CVE-2026-27833

cve-icon Vulnrichment

Updated: 2026-04-06T18:55:04.947Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:25.863

Modified: 2026-04-09T21:14:48.237

Link: CVE-2026-27833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:38Z

Weaknesses