Jorrit Kronjee

**Name of the Vulnerable Software and Affected Versions** Piwigo versions prior to 2.9.3 **Description** The issue concerns SQL injection in the administration panel, specifically in admin/tags.php. It can be exploited via the `tags` array parameter in an "admin.php?page=tags" request. The attacker must have administrator privileges to exploit this issue. **Recommendations** For versions prior to 2.9.3, update to version 2.9.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the administration panel to minimize the risk of exploitation. Avoid using the `tags` array parameter in the affected API endpoint until the issue is resolved.