CVE-2026-27885 - Vulnerability Details

- Piwigo: SQL Injection in Activity.getList

Description

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.

Published: 2026-04-03

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A SQL Injection flaw is present in the Activity List API endpoint of Piwigo prior to version 16.3.0. The vulnerability allows an authenticated administrator to supply malicious parameters that cause the backend to execute arbitrary SQL statements. This can lead to extraction of sensitive data such as user credentials, email addresses, and all stored content, resulting in a significant breach of confidentiality.

Affected Systems

All installations of Piwigo before version 16.3.0 are impacted. The flaw exists in Piwigo’s out‑of‑the‑box photo gallery software and specifically affects the Activity List API endpoint used by administrators to view activity logs.

Risk and Exploitability

The CVSS score of 7.2 classifies the vulnerability as high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Because the vulnerability requires administrative authentication, an attacker must first have privileged access to the system or compromise an administrator account before data can be exfiltrated. Once authenticated, the attacker can retrieve all stored data through crafted requests to the vulnerable endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Piwigo

affected

Version	Status	Constraints
`< 16.3.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Piwigo

100%

Version	Status	Scheme	Platform
`[0,16.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Piwigo to version 16.3.0 or later, which contains the fix for the Activity List SQL injection.
Verify the integrity of the update by checking the release notes and confirming the new version number on the application dashboard.
If an update is not immediately possible, restrict network access to the Piwigo application and monitor for suspicious API usage by authenticated administrators.
Check the Piwigo security advisory (GHSA-wfmr-9hg8-jh3m) for any additional guidance before applying the patch.

Generated by OpenCVE AI on April 9, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Piwigo/Piwigo/commit/c172d284e11eab4a5dbadd2844d26f734d5c8c72
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-wfmr-9hg8-jh3m
https://piwigo.org/release-16.3.0

History

Thu, 09 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:piwigo:piwigo::::::::

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Piwigo Piwigo piwigo
Vendors & Products		Piwigo Piwigo piwigo

Mon, 06 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.
Title		Piwigo: SQL Injection in Activity.getList
Weaknesses		CWE-89
References		https://github.com/Piwigo/Piwigo/commit/c172d284e11eab4a5dbadd2844d26f734d5c8c72 https://github.com/Piwigo/Piwigo/security/advisories/GHSA-wfmr-9hg8-jh3m https://piwigo.org/release-16.3.0
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Piwigo Piwigo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-03T21:36:07.360Z

Updated: 2026-04-06T13:15:26.353Z

Reserved: 2026-02-24T15:19:29.716Z

Link: CVE-2026-27885

Vulnrichment

Updated: 2026-04-06T13:15:20.872Z

NVD

Status : Analyzed

Published: 2026-04-03T22:16:26.173

Modified: 2026-04-09T21:15:10.113

Link: CVE-2026-27885

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:45:36Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object