Description
Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.This issue was fixed in version 1.6.28.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Disclosure
Action: Patch Immediately
AI Analysis

Impact

A path traversal vulnerability exists in Coppermine Photo Gallery versions 1.6.09 through 1.6.27. An unauthenticated remote attacker can construct a request to a vulnerable endpoint, causing the web server to resolve directory traversal sequences and read arbitrary files that the web server process can access. The primary impact is the unauthorized disclosure of sensitive information that resides on the server, as the attacker can read any file permitted by the web server process, which may include configuration files, credentials, or other private data. This weakness is characterized as a classic path traversal issue (CWE-22).

Affected Systems

The affected product is Coppermine Photo Gallery. All releases from 1.6.09 up to 1.6.27 are vulnerable. The issue was resolved in release 1.6.28.

Risk and Exploitability

The CVSS score for this vulnerability is 8.7, reflecting a high severity due to its remote nature and significant impact on confidentiality. The EPSS score is below 1%, indicating that, historically, exploitation is relatively rare, and the is not listed in the CISA KEV catalog. Nevertheless, because an unauthenticated attacker can read arbitrary files, the risk for organizations running the affected versions is substantial and should be mitigated promptly. The attack can be performed over standard HTTP requests and does not require special privileges or prior compromise.

Generated by OpenCVE AI on March 17, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Coppermine Photo Gallery version 1.6.28 or later

Generated by OpenCVE AI on March 17, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Coppermine-gallery
Coppermine-gallery coppermine Photo Gallery
Vendors & Products Coppermine-gallery
Coppermine-gallery coppermine Photo Gallery

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.This issue was fixed in version 1.6.28.
Title Path Traversal in Coppermine Photo Gallery
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Coppermine-gallery Coppermine Photo Gallery
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-11T15:52:08.010Z

Reserved: 2026-02-23T08:24:04.937Z

Link: CVE-2026-3013

cve-icon Vulnrichment

Updated: 2026-03-11T15:51:58.736Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T15:16:32.097

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:33Z

Weaknesses