plegall

16 exploits Active since Jan 2017
CVE-2016-10105 WRITEUP CRITICAL WRITEUP
Piwigo < 2.8.3 - Unauthenticated Exposure of Sensitive Information via admin/plugin.php
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.
CVSS 9.8
CVE-2026-27634 WRITEUP CRITICAL WRITEUP
Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
CVSS 9.8
CVE-2026-27833 WRITEUP HIGH WRITEUP
Piwigo: Unauthenticated Information Disclosure via pwg.history.search API
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.
CVSS 7.5
CVE-2026-27834 WRITEUP HIGH WRITEUP
Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
CVSS 7.2
CVE-2026-27885 WRITEUP HIGH WRITEUP
Piwigo: SQL Injection in Activity.getList
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.
CVSS 7.2
CVE-2024-48928 WRITEUP HIGH WRITEUP
Piwigo 14.x - Weak Secret Key Vulnerability
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue.
CVSS 7.5
CVE-2017-17822 WRITEUP MEDIUM WRITEUP
Piwigo 2.9.2 - SQL Injection via List Users API sSortDir_0 Parameter
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS 4.9
CVE-2017-17823 WRITEUP MEDIUM WRITEUP
Piwigo 2.9.2 - SQL Injection via Configuration Order By Parameter
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS 4.9
CVE-2017-17824 WRITEUP MEDIUM WRITEUP
Piwigo 2.9.2 - SQL Injection via Batch Manager Unit Mode element_ids Parameter
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.
CVSS 4.9
CVE-2017-17827 WRITEUP HIGH WRITEUP
Piwigo 2.9.2 - Cross-Site Request Forgery via Admin Configuration or Batch Manager
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
CVSS 8.8
CVE-2017-5608 WRITEUP MEDIUM WRITEUP
Piwigo < 2.8.6 - Cross-Site Scripting via Image Filename Upload
Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.
CVSS 6.1
CVE-2017-9463 WRITEUP MEDIUM WRITEUP
Piwigo < 2.9.0 - Authenticated SQL Injection via iDisplayStart and iDisplayLength Parameters
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
CVSS 6.5
CVE-2021-31783 WRITEUP HIGH WRITEUP
LocalFilesEditor < 11.4.0.1 - Local File Inclusion via show_default.php file Parameter
show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check.
CVSS 7.5
CVE-2021-32615 WRITEUP CRITICAL WRITEUP
Piwigo 11.4.0 - SQL Injection via order[0][dir] Parameter
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVSS 9.8
CVE-2023-44393 WRITEUP CRITICAL WRITEUP
Piwigo < 14.0.0beta4 - Reflected Cross-Site Scripting via plugin_id Parameter
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.
CVSS 9.3
CVE-2024-28662 WRITEUP MEDIUM WRITEUP
Piwigo < 14.3.0 - Cross-Site Scripting in create_tag Function
A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.
CVSS 5.4