CVE-2026-27834

CVSS v3.1

7.2

High

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-27834

Affected Products

Piwigo

CVE-2026-27834

Weakness Enumeration

Related Identifiers

Affected Products

References · 4