CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 3CVE-2024-43018
https://notcve.org/view.php?id=CVE-2024-43018
29 Jul 2025 — Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list. Piwigo 13.8.0 y versiones anteriores son vulnerables a la inyección SQL en los parámetros max_level y min_register. Estos parámetros se utilizan en la función ws_user_gerLi... • https://github.com/Piwigo/Piwigo/issues/2197 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.3EPSS: 4%CPEs: 4EXPL: 1CVE-2023-44393 – Piwigo Reflected XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-44393
09 Oct 2023 — Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into th... • https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.0EPSS: 64%CPEs: 1EXPL: 1CVE-2023-37270 – Piwigo SQL Injection vulnerability in "User-Agent"
https://notcve.org/view.php?id=CVE-2023-37270
07 Jul 2023 — Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. • https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34626
https://notcve.org/view.php?id=CVE-2023-34626
15 Jun 2023 — Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function. • https://github.com/Piwigo/Piwigo/issues/1924 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33359
https://notcve.org/view.php?id=CVE-2023-33359
23 May 2023 — Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function. • https://github.com/Piwigo/Piwigo/issues/1908 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33361
https://notcve.org/view.php?id=CVE-2023-33361
23 May 2023 — Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php. • https://github.com/Piwigo/Piwigo/issues/1910 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33362
https://notcve.org/view.php?id=CVE-2023-33362
23 May 2023 — Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function. • https://github.com/Piwigo/Piwigo/issues/1911 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •