Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
Published: 2026-04-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized SQL Execution
Action: Immediate Patch
AI Analysis

Impact

Piwigo, a popular web photo gallery application, has a flaw in the pwg.users.getList Web Service API. The filter parameter is concatenated straight into a SQL query without sanitization, creating a classic SQL injection vulnerability (CWE‑89). Since the API requires an authenticated administrator, an attacker who logs in with admin rights can run arbitrary SQL statements. This can lead to data exposure, modification, or deletion, and in some configurations may even trigger privileged operations on the underlying database server.

Affected Systems

All Piwigo installations running a version earlier than 16.3.0 are vulnerable. The issue is addressed in Piwigo version 16.3.0, which removes the unsanitized filter usage.

Risk and Exploitability

The vulnerability has a CVSS score of 7.2, indicating high severity. The EPSS score is below 1 %, showing a low predicted exploit frequency, and it is not listed in CISA’s KEV catalog. Exploitation requires the attacker to have administrator authentication to the site and knowledge of the API. Once authenticated, the injected SQL can be executed with the privileges of the administrator or the database user used by Piwigo.

Generated by OpenCVE AI on April 9, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Piwigo to version 16.3.0 or later.
  • If an immediate upgrade is not possible, restrict API access to trusted administrators and monitor logs for anomalous queries.
  • Verify that the web server and database are not exposed to public networks without proper authentication.

Generated by OpenCVE AI on April 9, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Piwigo
Piwigo piwigo
Vendors & Products Piwigo
Piwigo piwigo

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
Title Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Piwigo Piwigo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:42:28.113Z

Reserved: 2026-02-24T02:32:39.800Z

Link: CVE-2026-27834

cve-icon Vulnrichment

Updated: 2026-04-06T15:38:14.278Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:26.013

Modified: 2026-04-09T21:15:01.457

Link: CVE-2026-27834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:37Z

Weaknesses