Akityoo

**Name of the Vulnerable Software and Affected Versions** Piwigo version 2.9.1 **Description** A cross-site scripting (XSS) issue allows remote authenticated administrators to inject arbitrary web script or HTML via the `virtual name` parameter to "/admin.php" when creating a virtual album. **Recommendations** For Piwigo version 2.9.1, avoid using the `virtual name` parameter in the "/admin.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the virtual album creation feature to minimize the risk of exploitation.