PT-2025-31256 · Piwigo · Piwigo
Published
2025-07-27
·
Updated
2025-07-30
·
CVE-2024-43018
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Piwigo versions 13.8.0 and below
Description
Piwigo versions 13.8.0 and below are vulnerable to SQL Injection in the parameters
max level and min register. These parameters are used in the ws user gerList function from the file includews functionspwg.users.php. This function is called by the ws.php file and can be used for searching users in an advanced way via the /admin.php?page=user list endpoint.Recommendations
Upgrade to version 15.1.0 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Piwigo