EIP-2026-111298

PRE-CVE

Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-111298. PoCs published by Okan Kurtulus.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Piwigo v13.7.0, where an authenticated user can inject malicious JavaScript via the photo description field. The payload is triggered when the photo is viewed on the homepage.

Description

Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)

Exploits (1)

exploitdb WORKING POC

by Okan Kurtulus · textwebappsphp

https://www.exploit-db.com/exploits/51572

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Piwigo v13.7.0, where an authenticated user can inject malicious JavaScript via the photo description field. The payload is triggered when the photo is viewed on the homepage.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Piwigo v13.7.0

Auth required

Prerequisites: Authenticated user with photo upload privileges

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026