Vulnerability Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Piwigo | Piwigo | < 16.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218aPatch
- https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2ExploitMitigationVendor Advisory
- https://piwigo.org/release-16.3.0Release Notes
- https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-27834?
CVE-2026-27834 is a vulnerability with a CVSS score of 7.2 (HIGH). Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is d...
How severe is CVE-2026-27834?
CVE-2026-27834 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27834?
Check the references section above for vendor advisories and patch information. Affected products include: Piwigo Piwigo.