{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27833", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.800Z", "datePublished": "2026-04-03T21:34:11.425Z", "dateUpdated": "2026-04-06T18:55:09.077Z"}, "containers": {"cna": {"title": "Piwigo: Unauthenticated Information Disclosure via pwg.history.search API", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2"}, {"name": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c", "tags": ["x_refsource_MISC"], "url": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c"}, {"name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"], "url": "https://piwigo.org/release-16.3.0"}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"version": "< 16.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:34:11.425Z"}, "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0."}], "source": {"advisory": "GHSA-397m-gfhm-pmg2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:53:22.756623Z", "id": "CVE-2026-27833", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:55:09.077Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27833", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T18:53:22.756623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:55:04.947Z"}}], "cna": {"title": "Piwigo: Unauthenticated Information Disclosure via pwg.history.search API", "source": {"advisory": "GHSA-397m-gfhm-pmg2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"status": "affected", "version": "< 16.3.0"}]}], "references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2", "name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c", "name": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c", "tags": ["x_refsource_MISC"]}, {"url": "https://piwigo.org/release-16.3.0", "name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:34:11.425Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27833", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:55:09.077Z", "dateReserved": "2026-02-24T02:32:39.800Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:34:11.425Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", "matchCriteriaId": "3502BA46-5475-47BC-BA8F-F9456A836F1A", "versionEndExcluding": "16.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0."}], "id": "CVE-2026-27833", "lastModified": "2026-04-09T21:14:48.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:25.863", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://piwigo.org/release-16.3.0"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Piwigo", "source": "cna", "vendor": "Piwigo"}, "product": "piwigo", "vendor": "piwigo"}], "analysis": {"en": {"generated_at": "2026-04-09T22:58:32.346301+00:00", "value": {"mitigation_remediation": ["Determine your current Piwigo version by checking the administration interface or the version.php file.", "Download the latest stable release, 16.3.0, from the official Piwigo website or GitHub repository.", "Follow the upgrade instructions provided by Piwigo to replace the old installation with the new version.", "After upgrading, confirm that the pwg.history.search API is no longer accessible to unauthenticated users (e.g., by attempting the API call and expecting a 403 or authentication prompt).", "If an upgrade cannot be performed immediately, block external access to the API endpoint using web server configuration or firewall rules until the patch is applied.", "Continuously monitor web server access logs for repeated attempts to request the pwg.history.search endpoint."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure of Browsing History"}, "threat_synthesis": {"affected_systems": "The defect impacts the Piwigo photo gallery application. All versions from the earliest releases up to, but not including, 16.3.0 are affected. Administrators deploying these older releases should verify whether the pwg.history.search API is exposed and consider upgrading to a patched version. The product is hosted on web servers and is typically accessible via HTTPS or HTTP.", "description_and_impact": "An omission in the configuration of the pwg.history.search API method allowed anyone who can reach the Piwigo web application to query and retrieve the complete browsing history of all users. The vulnerability permits the disclosure of potentially sensitive information such as recently viewed galleries and photos. The flaw is rooted in a missing administrative restriction (CWE\u2011862) and is therefore considered an information\u2011disclosure issue rather than an execution flaw. No direct code execution or privilege escalation is possible.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity rating. The EPSS score below 1 percent suggests that real\u2011world exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack surface is publicly reachable; an unauthenticated attacker can simply perform HTTP requests to the exposed API endpoint. As it only yields information, the impact is limited to confidentiality, but an attacker could use the knowledge of visitor history for social engineering or phishing. Prompt application of the 16.3.0 patch is recommended."}}}}, "created": "2026-04-06T21:22:23.452164+00:00", "updated": "2026-04-10T09:45:38.457220+00:00", "vendors": ["piwigo", "piwigo$PRODUCT$piwigo"]}