Product
piwigo
114 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-27885
CVE-2026-27834
CVE-2026-27833
CVE-2026-27634
CVE-2025-62512
CVE-2024-48928
CVE-2025-62406
CVE-2024-43018
CVE-2024-52701
CVE-2024-48311
CVE-2024-46606
CVE-2024-46605
CVE-2024-46333
CVE-2024-28662
CVE-2024-26450
CVE-2023-51790
CVE-2023-44393
CVE-2023-37270
CVE-2023-34626
CVE-2023-33362
CVE-2023-33361
CVE-2023-33359
CVE-2023-27233
CVE-2023-26876
CVE-2022-48007
CVE-2014-125053
CVE-2022-37183
CVE-2022-32297
CVE-2021-40553
CVE-2021-40678
CVE-2021-40317
CVE-2020-19217
CVE-2020-19216
CVE-2020-19215
CVE-2020-19213
CVE-2020-19212
CVE-2022-26267
CVE-2022-26266
CVE-2022-24620
CVE-2021-45357
CVE-2016-3735
CVE-2021-40882
CVE-2021-40313
CVE-2020-22150
CVE-2020-22148
CVE-2021-32615
CVE-2021-31783
CVE-2021-27973
CVE-2014-8945
CVE-2014-8944
CVE-2014-8943
CVE-2014-8942
CVE-2014-8941
CVE-2014-8940
CVE-2014-8939
CVE-2014-8938
CVE-2014-8937
CVE-2020-9468
CVE-2020-9467
CVE-2020-8089
CVE-2012-4526
CVE-2012-4525
CVE-2019-13364
CVE-2019-13363
CVE-2014-4613
CVE-2018-7724
CVE-2018-7723
CVE-2018-7722
CVE-2018-6883
CVE-2018-5692
CVE-2017-17827
CVE-2017-17826
CVE-2017-17825
CVE-2017-17824
CVE-2017-17823
CVE-2017-17822
CVE-2017-17775
CVE-2017-17774
CVE-2017-16893
CVE-2016-10514
CVE-2016-10513
CVE-2017-10682
CVE-2017-10681
CVE-2017-10680
CVE-2017-10679
CVE-2017-10678
CVE-2017-9836
CVE-2017-9464
CVE-2017-9463
CVE-2017-9452
CVE-2017-5608
CVE-2016-10105
CVE-2016-10085
CVE-2016-10084
CVE-2016-10083
CVE-2016-9751
CVE-2015-2035
CVE-2015-2034
CVE-2015-1517
CVE-2015-1441
CVE-2014-9115
CVE-2014-3900
CVE-2014-1980
CVE-2014-4614
CVE-2014-4649
CVE-2014-4648
CVE-2013-1468
CVE-2013-1469
CVE-2012-2209
CVE-2012-2208
CVE-2011-3790
CVE-2010-1707
CVE-2009-4039
CVE-2009-2933
< 16.3.0
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discove
< 16.3.0
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in t
< 16.3.0
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwi
< 16.3.0
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_da
>= 15.0.0 and <= 15.5.0
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password r
>= 14.0.0 and <= 14.5.0
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key co
all versions
Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function a
<= 13.8.0
Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in
all versions
A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrar
all versions
Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.
<= 14.5.0
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute ar
<= 14.5.0
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute ar
all versions
An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or H
all versions
A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/
> 14.2.0
An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaini
all versions
Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parame
<= 13.8.0
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerabi
< 13.8.0
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the
<= 13.7.0
Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.
all versions
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
all versions
Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.
all versions
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.
< 13.6.0
Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.
<= 13.5.0
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_
all versions
A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary we
< 1.3.1
A vulnerability was found in Piwigo-Guest-Book up to 1.3.0. It has been declared as critical. This vulnerability affects unknown c
all versions
Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.
<= 12.2.0
Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.
all versions
piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.
all versions
In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager
all versions
Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.
all versions
SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch
all versions
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.
all versions
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.
all versions
SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.
all versions
SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.
all versions
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
all versions
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
all versions
Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, adm
>= 12.0.0 and <= 12.1.0
Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.
< 2.8.1
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to
all versions
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
all versions
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.ph
all versions
A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary we
all versions
A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary w
all versions
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
< 11.4.0.1
show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file paramet
< 11.4.0
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
<= 2014-11-20
admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields.
<= 2014-11-20
Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, i
<= 2014-11-20
Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter.
<= 2014-11-20
Lexiglot through 2014-11-20 allows CSRF.
<= 2014-11-20
Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI.
<= 2014-11-20
Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting th
<= 2014-11-20
Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modi
<= 2014-11-20
Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and passw
<= 2014-11-20
Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal o
all versions
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have pe
all versions
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
all versions
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
>= 2.4.0 and <= 2.4.3
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
>= 2.4.0 and <= 2.4.3
piwigo has XSS in password.php
all versions
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address p
all versions
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as,
< 2.6.2
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hija
all versions
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSR
all versions
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a differ
all versions
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, re
< 2.9.3
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?
all versions
Piwigo v2.8.2 has XSS via the
tab, to, section, mode, installstatus, and display parameters of the admin.php file.all versions
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_m
all versions
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an
all versions
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an adm
all versions
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parame
all versions
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array paramete
all versions
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An at
all versions
Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.
all versions
admin/configuration.php in Piwigo 2.9.2 has CSRF.
<= 2.9.2
The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allow
<= 2.8.2
url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restriction
<= 2.8.2
Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.
<= 2.9.1
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL com
<= 2.9.1
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of us
<= 2.9.1
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of us
<= 2.9.1
Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examinin
<= 2.9.1
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of us
all versions
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script
<= 2.9.0
An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users t
<= 2.9.0
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows
<= 2.9.0
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web
<= 2.8.5
Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arb
<= 2.8.3
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause in
<= 2.8.3
admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the t
<= 2.8.3
admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via t
<= 2.8.3
Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary w
all versions
Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitra
<= 2.7.3
SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary
<= 2.7.3
Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject ar
<= 2.7.3
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute a
<= 2.5.5
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute
<= 2.5.5
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.
<= 2.6.3
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allow
<= 2.4.5
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to i
<= 2.6.1
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authenticat
all versions
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated ad
<= 2.6.2
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure."
<= 2.4.6
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to
<= 2.4.6
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files
<= 2.3.3
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary
<= 2.3.3
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary l
all versions
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the instal
<= 2.0.9
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject a
<= 2.0.5
Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via
<= 2.0
SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via t