CVE-2014-9115

Piwigo <2.5.5, <2.6.x before 2.6.4, <2.7.x before 2.7.2 - SQL Injec...

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9115. PoCs published by Manuel García Cárdenas.

AI-analyzed exploit summary This is a vulnerability advisory detailing a blind SQL injection in Piwigo <= v2.6.0. The PoC demonstrates exploitation via the 'rate' parameter in 'picture.php' using SQLMap.

Description

SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.

Exploits (1)

exploitdb WRITEUP
by Manuel García Cárdenas · textwebappsphp
https://www.exploit-db.com/exploits/35221

This is a vulnerability advisory detailing a blind SQL injection in Piwigo <= v2.6.0. The PoC demonstrates exploitation via the 'rate' parameter in 'picture.php' using SQLMap.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Piwigo <= v2.6.0
No auth needed
Prerequisites: Access to the target Piwigo instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory x_refsource_confirm
http://piwigo.org/forum/viewtopic.php?id=24850
Patch x_refsource_confirm
http://piwigo.org/releases/2.7.2
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Nov/23

Scores

EPSS 0.0274
EPSS Percentile 84.2%

Details

CWE
CWE-89
Status published
Products (7)
piwigo/piwigo 2.6.0
piwigo/piwigo 2.6.1
piwigo/piwigo 2.6.2
piwigo/piwigo 2.6.3
piwigo/piwigo 2.7.0 (5 CPE variants)
piwigo/piwigo 2.7.1
piwigo/piwigo < 2.5.5
Published Dec 23, 2014
Tracked Since Feb 18, 2026