CVE-2026-27634 HIGH

CVE-2026-27634: Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter

Vendor Piwigo

Product Piwigo

Weakness CWE-89 · SQLi

Published April 3, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.

Key dates

02Disclosure timeline

April 3, 2026 CVE published

April 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27634 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2026-27634: Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter

01Description

02Disclosure timeline

03References

04Related CVE