Vulnerability Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Piwigo | Piwigo | < 16.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08Patch
- https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghqExploitVendor Advisory
- https://piwigo.org/release-16.3.0Release Notes
FAQ
What is CVE-2026-27634?
CVE-2026-27634 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_cre...
How severe is CVE-2026-27634?
CVE-2026-27634 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-27634?
Check the references section above for vendor advisories and patch information. Affected products include: Piwigo Piwigo.