{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27833", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.800Z", "datePublished": "2026-04-03T21:34:11.425Z", "dateUpdated": "2026-04-06T18:55:09.077Z"}, "containers": {"cna": {"title": "Piwigo: Unauthenticated Information Disclosure via pwg.history.search API", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2"}, {"name": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c", "tags": ["x_refsource_MISC"], "url": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c"}, {"name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"], "url": "https://piwigo.org/release-16.3.0"}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"version": "< 16.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:34:11.425Z"}, "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0."}], "source": {"advisory": "GHSA-397m-gfhm-pmg2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:53:22.756623Z", "id": "CVE-2026-27833", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:55:09.077Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27833", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T18:53:22.756623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:55:04.947Z"}}], "cna": {"title": "Piwigo: Unauthenticated Information Disclosure via pwg.history.search API", "source": {"advisory": "GHSA-397m-gfhm-pmg2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"status": "affected", "version": "< 16.3.0"}]}], "references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2", "name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c", "name": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c", "tags": ["x_refsource_MISC"]}, {"url": "https://piwigo.org/release-16.3.0", "name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:34:11.425Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27833", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:55:09.077Z", "dateReserved": "2026-02-24T02:32:39.800Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:34:11.425Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0."}], "id": "CVE-2026-27833", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:25.863", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c"}, {"source": "security-advisories@github.com", "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2"}, {"source": "security-advisories@github.com", "url": "https://piwigo.org/release-16.3.0"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Piwigo", "source": "cna", "vendor": "Piwigo"}, "product": "piwigo", "vendor": "piwigo"}], "analysis": {"en": {"generated_at": "2026-04-03T23:21:05.902784+00:00", "value": {"mitigation_remediation": ["Upgrade Piwigo to version 16.3.0 or later", "If an upgrade is not immediately possible, restrict access to the pwg.history.search API endpoint using server\u2011side controls such as web\u2011app firewall rules or IP restrictions", "Monitor the gallery for any abnormal access patterns to the history API until a patch is applied"], "summary": {"action": "Apply Patch", "impact": "Unauthenticated Information Disclosure"}, "threat_synthesis": {"affected_systems": "Any installation of Piwigo running a version earlier than 16.3.0 is susceptible to the flaw. The issue was addressed in the 16.3.0 release, so newer versions are not affected.", "description_and_impact": "Piwigo\u2019s pwg.history.search API method was exposed without the admin_only flag, permitting anyone who can reach the gallery to retrieve the full browsing history of all visitors. This flaw can leak sensitive data such as URLs viewed, timestamps, and potentially user identifiers, thereby compromising user privacy and confidentiality. The vulnerability is classified as CWE-862, unauthorized access.", "risk_and_exploitability": "The CVSS score of 7.5 indicates significant risk, and the EPSS score is not available, though the lack of authentication requirements means an attacker requires only network reachability to the gallery host. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw simply by sending an unauthenticated request to the exposed API endpoint, and no additional privileges or network configuration modifications are required. The resultant privacy breach could affect all visitors to the gallery, making remediation a high priority."}}}}, "created": "2026-04-06T21:22:23.452164+00:00", "updated": "2026-04-06T22:22:01.664900+00:00", "vendors": ["piwigo", "piwigo$PRODUCT$piwigo"]}