CVE-2026-27885

HIGH 7.2

Piwigo: SQL Injection in Activity.getList

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

7th

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.

CWE	CWE-89
Vendor	piwigo
Product	piwigo
Published	Apr 3, 2026
Last Updated	Apr 6, 2026

Stay Ahead of the Next One

Get instant alerts for piwigo piwigo

Be the first to know when new high vulnerabilities affecting piwigo piwigo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Piwigo / Piwigo

< 16.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Piwigo/Piwigo/security/advisories/GHSA-wfmr-9hg8-jh3m github.com: https://github.com/Piwigo/Piwigo/commit/c172d284e11eab4a5dbadd2844d26f734d5c8c72 piwigo.org: https://piwigo.org/release-16.3.0