Description

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.

INFO

Published Date :

2026-04-03T21:35:13.966Z

Last Modified :

2026-04-03T21:35:13.966Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27834 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27834.

URL Resource
https://github.com/Piwigo/Piwigo/commit/9df471f16243371dc3725c5262e1632d23c8218a cve-icon cve-icon
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-5jwg-cr5q-vjq2 cve-icon cve-icon
https://piwigo.org/release-16.3.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact