{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27634", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.028Z", "datePublished": "2026-04-03T21:33:13.838Z", "dateUpdated": "2026-04-06T13:13:42.809Z"}, "containers": {"cna": {"title": "Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq"}, {"name": "https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08", "tags": ["x_refsource_MISC"], "url": "https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08"}, {"name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"], "url": "https://piwigo.org/release-16.3.0"}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"version": "< 16.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:33:13.838Z"}, "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0."}], "source": {"advisory": "GHSA-mgqc-3445-qghq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:13:31.839588Z", "id": "CVE-2026-27634", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:13:42.809Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27634", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T13:13:31.839588Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:13:38.241Z"}}], "cna": {"title": "Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter", "source": {"advisory": "GHSA-mgqc-3445-qghq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"status": "affected", "version": "< 16.3.0"}]}], "references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq", "name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08", "name": "https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08", "tags": ["x_refsource_MISC"]}, {"url": "https://piwigo.org/release-16.3.0", "name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:33:13.838Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27634", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:13:42.809Z", "dateReserved": "2026-02-20T22:02:30.028Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:33:13.838Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", "matchCriteriaId": "3502BA46-5475-47BC-BA8F-F9456A836F1A", "versionEndExcluding": "16.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0."}], "id": "CVE-2026-27634", "lastModified": "2026-04-09T21:14:23.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:25.720", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://piwigo.org/release-16.3.0"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Piwigo", "source": "cna", "vendor": "Piwigo"}, "product": "piwigo", "vendor": "piwigo"}], "analysis": {"en": {"generated_at": "2026-04-03T23:21:23.992515+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to upgrade Piwigo to version 16.3.0 or later."], "summary": {"action": "Patch Immediately", "impact": "Database Disclosure"}, "threat_synthesis": {"affected_systems": "Any Piwigo installation running a version earlier than 16.3.0 is vulnerable. The issue was addressed in the 16.3.0 release, so systems that have not upgraded to at least this version remain at risk.", "description_and_impact": "An unauthenticated SQL injection flaw exists in the date\u2011filter parameters of the Piwigo image query function. The four parameters\u2014minimum and maximum dates for availability and creation\u2014are concatenated directly into a SQL statement without proper escaping or type validation. This lack of sanitisation permits a malicious actor to inject arbitrary SQL, read unrestricted database tables, and retrieve sensitive information such as user password hashes, as identified by CWE\u201189.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates a high severity incident. While an explicit EPSS score is not provided, the vulnerability is exploitable by anyone who can access the web interface, since no authentication is required. The vulnerability is not listed in the CISA KEV catalog, but its high impact and lack of mitigations make it a serious concern. A successful exploitation allows an attacker to extract the entire database, potentially exposing user credentials and other confidential data."}}}}, "created": "2026-04-06T21:22:24.491464+00:00", "updated": "2026-04-06T22:22:02.740521+00:00", "vendors": ["piwigo", "piwigo$PRODUCT$piwigo"]}