CVE-2026-27634
Received Received - Intake
SQL Injection in Piwigo Date Filters Allows Database Exposure

Publication date: 2026-04-03

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-09
Generated
2026-05-07
AI Q&A
2026-04-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27634
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
piwigo piwigo to 16.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Piwigo, an open source photo gallery web application. Before version 16.3.0, four date filter parameters used in the function ws_std_image_sql_filter() were directly concatenated into SQL queries without any escaping or type validation. This flaw allows an unauthenticated attacker to exploit the SQL injection and read the entire database, including sensitive information such as user password hashes.


How can this vulnerability impact me? :

The vulnerability can have a severe impact as it allows an unauthenticated attacker to access the full database of the Piwigo application. This includes sensitive data like user password hashes, which could lead to unauthorized access to user accounts, data breaches, and potential further exploitation of the system.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been patched in Piwigo version 16.3.0. To mitigate this vulnerability, you should immediately upgrade your Piwigo installation to version 16.3.0 or later.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an unauthenticated attacker to read the full database, including user password hashes, due to improper input handling in SQL queries.

Such unauthorized access to sensitive user data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure.

Therefore, if exploited, this vulnerability could result in non-compliance with these common standards and regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart