CVE-2026-27634

UNKNOWN 0.0

Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.

CWE	CWE-89
Vendor	piwigo
Product	piwigo
Published	Apr 3, 2026
Last Updated	Apr 6, 2026

Stay Ahead of the Next One

Get instant alerts for piwigo piwigo

Be the first to know when new unknown vulnerabilities affecting piwigo piwigo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Piwigo / Piwigo

< 16.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq github.com: https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08 piwigo.org: https://piwigo.org/release-16.3.0