Piwigo: SQL Injection in Activity.getList_CVE-2026-27885

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.

Basic Information

ID CVE-2026-27885

Source GitHub_M

Published Apr 3, 2026 at 21:36

Modified Apr 6, 2026 at 13:15

Affected Product

Vendor Piwigo

Product Piwigo

Version < 16.3.0

Affected Versions Piwigo Piwigo < 16.3.0

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.",
    "published": "2026-04-03T21:36:07.360Z",
    "modified": "2026-04-06T13:15:26.353Z",
    "type": "cve",
    "title": "Piwigo: SQL Injection in Activity.getList",
    "source": "GitHub_M",
    "references": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-wfmr-9hg8-jh3m\nhttps://github.com/Piwigo/Piwigo/commit/c172d284e11eab4a5dbadd2844d26f734d5c8c72\nhttps://piwigo.org/release-16.3.0",
    "id": "CVE-2026-27885",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "Piwigo Piwigo < 16.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Piwigo",
    "version": "< 16.3.0",
    "vendor": "Piwigo",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}