{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27834", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.800Z", "datePublished": "2026-04-03T21:35:13.966Z", "dateUpdated": "2026-04-06T15:42:28.113Z"}, "containers": {"cna": {"title": "Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2"}, {"name": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a", "tags": ["x_refsource_MISC"], "url": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a"}, {"name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"], "url": "https://piwigo.org/release-16.3.0"}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"version": "< 16.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:35:13.966Z"}, "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0."}], "source": {"advisory": "GHSA-5jwg-cr5q-vjq2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:38:05.554183Z", "id": "CVE-2026-27834", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:42:28.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27834", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:38:05.554183Z"}}}], "references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:38:14.278Z"}}], "cna": {"title": "Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter", "source": {"advisory": "GHSA-5jwg-cr5q-vjq2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"status": "affected", "version": "< 16.3.0"}]}], "references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a", "name": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a", "tags": ["x_refsource_MISC"]}, {"url": "https://piwigo.org/release-16.3.0", "name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:35:13.966Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27834", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:42:28.113Z", "dateReserved": "2026-02-24T02:32:39.800Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:35:13.966Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0."}], "id": "CVE-2026-27834", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:26.013", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a"}, {"source": "security-advisories@github.com", "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2"}, {"source": "security-advisories@github.com", "url": "https://piwigo.org/release-16.3.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Piwigo", "source": "cna", "vendor": "Piwigo"}, "product": "piwigo", "vendor": "piwigo"}], "analysis": {"en": {"generated_at": "2026-04-03T23:50:29.760969+00:00", "value": {"mitigation_remediation": ["Upgrade to Piwigo 16.3.0 or later.", "Verify that the upgrade includes the SQL injection fix by checking release notes or the application\u2019s version identifier.", "Restrict API access for administrative accounts to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary SQL Execution"}, "threat_synthesis": {"affected_systems": "Any Piwigo installation running a version earlier than 16.3.0 is impacted. The vulnerability is present in every release that has not applied the security patch delivered with the 16.3.0 update.", "description_and_impact": "A SQL injection flaw exists in the pwg.users.getList API method of Piwigo. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing an attacker who authenticates as an administrator to send malicious input that will be executed by the database engine. This can lead to reading, modifying, or deleting critical data, thereby compromising confidentiality, integrity, and potentially availability of the photo gallery.", "risk_and_exploitability": "The CVSS score of 7.2 classifies the weakness as high severity. Exploitation requires the attacker to possess administrator credentials and access the Web Service API endpoint. Although no public exploits are documented and the issue is not listed in the CISA KEV catalog, the combination of a high score and privileged access means that an internal or compromised user could leverage the flaw to gain full database access. EPSS data is unavailable."}}}}, "created": "2026-04-06T21:22:22.436088+00:00", "updated": "2026-04-06T22:22:00.427429+00:00", "vendors": ["piwigo", "piwigo$PRODUCT$piwigo"]}