Login Sign Up

CVE-2022-26267

7.5 HIGH

📋 TL;DR

Piwigo v12.2.0 contains an information disclosure vulnerability in the admin maintenance actions page. Attackers can exploit this to leak sensitive information from the application. Only Piwigo installations with admin access are affected.

💻 Affected Systems

Products:
  • Piwigo
Versions: v12.2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin access to exploit. The vulnerability is in the admin interface at /admin/maintenance_actions.php.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive configuration data, database credentials, or other internal information that could lead to further compromise of the Piwigo installation.

🟠

Likely Case

Unauthorized users with admin access could view system information, configuration details, or other data that should be restricted to administrators.

🟢

If Mitigated

With proper access controls and network segmentation, the impact is limited to information disclosure within the admin interface.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin-level access. The vulnerability is well-documented in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v12.3.0 or later

Vendor Advisory: https://github.com/Piwigo/Piwigo/security/advisories

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download the latest Piwigo version from the official website. 3. Replace the affected files with the patched version. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit access to the admin interface to trusted IP addresses only

# Add to .htaccess or web server config
Deny from all
Allow from 192.168.1.0/24

Disable Maintenance Actions

linux

Temporarily disable or restrict access to the vulnerable endpoint

# Rename or move the vulnerable file
mv /path/to/piwigo/admin/maintenance_actions.php /path/to/piwigo/admin/maintenance_actions.php.disabled

🧯 If You Can't Patch

  • Implement strict network access controls to limit admin interface access
  • Monitor admin access logs for suspicious activity targeting maintenance_actions.php

🔍 How to Verify

Check if Vulnerable:

Check if Piwigo version is 12.2.0 and the file /admin/maintenance_actions.php exists with vulnerable code patterns

Check Version:

grep 'version' /path/to/piwigo/include/constants.php | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Verify Piwigo version is 12.3.0 or later, or check that the information disclosure issue is resolved in the maintenance actions page

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests to /admin/maintenance_actions.php with different action parameters
  • Unusual admin access patterns

Network Indicators:

  • HTTP requests to /admin/maintenance_actions.php with suspicious action parameters

SIEM Query:

source="web_access_logs" AND uri_path="/admin/maintenance_actions.php" AND (status=200 OR status=500) | stats count by src_ip

📊 Metadata

CVE ID: CVE-2022-26267
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-306
Published: March 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26267, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)