CVE-2026-27834
HIGHPiwigo: SQL Injection in pwg.users.getList API Method via filter Parameter
Title source: cnaDescription
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2
X_Refsource_Misc x_refsource_misc
https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a
X_Refsource_Misc x_refsource_misc
https://piwigo.org/release-16.3.0
Scores
CVSS v3
7.2
EPSS
0.0037
EPSS Percentile
28.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
piwigo/piwigo
< 16.3.0
Piwigo/Piwigo
< 16.3.0
Published
Apr 03, 2026
Tracked Since
Apr 04, 2026