{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27834", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.800Z", "datePublished": "2026-04-03T21:35:13.966Z", "dateUpdated": "2026-04-06T15:42:28.113Z"}, "containers": {"cna": {"title": "Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2"}, {"name": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a", "tags": ["x_refsource_MISC"], "url": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a"}, {"name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"], "url": "https://piwigo.org/release-16.3.0"}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"version": "< 16.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:35:13.966Z"}, "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0."}], "source": {"advisory": "GHSA-5jwg-cr5q-vjq2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:38:05.554183Z", "id": "CVE-2026-27834", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:42:28.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27834", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:38:05.554183Z"}}}], "references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:38:14.278Z"}}], "cna": {"title": "Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter", "source": {"advisory": "GHSA-5jwg-cr5q-vjq2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Piwigo", "product": "Piwigo", "versions": [{"status": "affected", "version": "< 16.3.0"}]}], "references": [{"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a", "name": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a", "tags": ["x_refsource_MISC"]}, {"url": "https://piwigo.org/release-16.3.0", "name": "https://piwigo.org/release-16.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:35:13.966Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27834", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:42:28.113Z", "dateReserved": "2026-02-24T02:32:39.800Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:35:13.966Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", "matchCriteriaId": "3502BA46-5475-47BC-BA8F-F9456A836F1A", "versionEndExcluding": "16.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0."}], "id": "CVE-2026-27834", "lastModified": "2026-04-09T21:15:01.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:26.013", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://piwigo.org/release-16.3.0"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Piwigo", "source": "cna", "vendor": "Piwigo"}, "product": "piwigo", "vendor": "piwigo"}], "analysis": {"en": {"generated_at": "2026-04-09T22:58:22.490324+00:00", "value": {"mitigation_remediation": ["Upgrade Piwigo to version\u00a016.3.0 or later.", "If an immediate upgrade is not possible, restrict API access to trusted administrators and monitor logs for anomalous queries.", "Verify that the web server and database are not exposed to public networks without proper authentication."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized SQL Execution"}, "threat_synthesis": {"affected_systems": "All Piwigo installations running a version earlier than 16.3.0 are vulnerable. The issue is addressed in Piwigo version\u00a016.3.0, which removes the unsanitized filter usage.", "description_and_impact": "Piwigo, a popular web photo gallery application, has a flaw in the pwg.users.getList Web Service API. The filter parameter is concatenated straight into a SQL query without sanitization, creating a classic SQL injection vulnerability (CWE\u201189). Since the API requires an authenticated administrator, an attacker who logs in with admin rights can run arbitrary SQL statements. This can lead to data exposure, modification, or deletion, and in some configurations may even trigger privileged operations on the underlying database server.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.2, indicating high severity. The EPSS score is below 1\u202f%, showing a low predicted exploit frequency, and it is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to have administrator authentication to the site and knowledge of the API. Once authenticated, the injected SQL can be executed with the privileges of the administrator or the database user used by Piwigo."}}}}, "created": "2026-04-06T21:22:22.436088+00:00", "updated": "2026-04-10T09:45:37.450906+00:00", "vendors": ["piwigo", "piwigo$PRODUCT$piwigo"]}