CVE-2026-27634

Received Received - Intake

SQL Injection in Piwigo Date Filters Allows Database Exposure

Publication date: 2026-04-03

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-03

Last Modified

2026-04-09

Generated

2026-06-16

AI Q&A

2026-04-04

EPSS Evaluated

2026-06-15

NVD

CVE-2026-27634

Affected Vendors & Products

Vendor	Product	Version / Range
piwigo	piwigo	to 16.3.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability affects Piwigo, an open source photo gallery web application. Before version 16.3.0, four date filter parameters used in the function ws_std_image_sql_filter() were directly concatenated into SQL queries without any escaping or type validation. This flaw allows an unauthenticated attacker to exploit the SQL injection and read the entire database, including sensitive information such as user password hashes.

Impact Analysis

The vulnerability can have a severe impact as it allows an unauthenticated attacker to access the full database of the Piwigo application. This includes sensitive data like user password hashes, which could lead to unauthorized access to user accounts, data breaches, and potential further exploitation of the system.

Mitigation Strategies

The vulnerability has been patched in Piwigo version 16.3.0. To mitigate this vulnerability, you should immediately upgrade your Piwigo installation to version 16.3.0 or later.

Compliance Impact

This vulnerability allows an unauthenticated attacker to read the full database, including user password hashes, due to improper input handling in SQL queries.

Such unauthorized access to sensitive user data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure.

Therefore, if exploited, this vulnerability could result in non-compliance with these common standards and regulations.

Hi! I’m here to help you understand CVE-2026-27634. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-27634

SQL Injection in Piwigo Date Filters Allows Database Exposure

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart