{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-27834/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-27834"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["piwigo","sql-injection","cve-2026-27834"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePiwigo, an open-source photo gallery application, is vulnerable to SQL injection in versions before 16.3.0. The vulnerability resides in the \u003ccode\u003epwg.users.getList\u003c/code\u003e Web Service API method.  Specifically, the \u003ccode\u003efilter\u003c/code\u003e parameter is directly concatenated into a SQL query without sufficient sanitization. This allows an authenticated administrator to inject and execute arbitrary SQL commands on the Piwigo server.  Successful exploitation could lead to data exfiltration, modification, or complete compromise of the Piwigo instance.  Version 16.3.0 patches this vulnerability. The vulnerability was reported on April 3rd, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated administrator logs into the Piwigo web interface.\u003c/li\u003e\n\u003cli\u003eThe administrator crafts a malicious HTTP POST request to the \u003ccode\u003eapi.php\u003c/code\u003e endpoint, targeting the \u003ccode\u003epwg.users.getList\u003c/code\u003e Web Service API method.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the \u003ccode\u003efilter\u003c/code\u003e parameter containing a SQL injection payload. The payload is designed to exploit the lack of sanitization.\u003c/li\u003e\n\u003cli\u003eThe Piwigo application receives the request and processes the \u003ccode\u003epwg.users.getList\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe application concatenates the attacker-controlled \u003ccode\u003efilter\u003c/code\u003e parameter directly into a SQL query without proper escaping or sanitization.\u003c/li\u003e\n\u003cli\u003eThe crafted SQL query is executed against the Piwigo database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code performs unauthorized actions, such as extracting sensitive data, modifying database records, or executing system commands via SQL.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the results of the injected SQL query from the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-27834) in Piwigo versions before 16.3.0 can lead to complete compromise of the Piwigo installation. An attacker could potentially access sensitive data such as user credentials, private photos, and system configuration information. The attacker could also modify or delete data, disrupt service, or potentially gain unauthorized access to the underlying server. Given the administrator privilege required for exploitation, the impact is considered significant within the vulnerable Piwigo instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Piwigo to version 16.3.0 or later to patch CVE-2026-27834 (see references).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts against the \u003ccode\u003epwg.users.getList\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003eapi.php\u003c/code\u003e containing unusual characters or SQL keywords in the \u003ccode\u003efilter\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T22:16:26Z","date_published":"2026-04-03T22:16:26Z","id":"/briefs/2026-04-piwigo-sql-injection/","summary":"A SQL Injection vulnerability (CVE-2026-27834) exists in Piwigo versions prior to 16.3.0, allowing authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method.","title":"Piwigo SQL Injection Vulnerability (CVE-2026-27834)","url":"https://feed.craftedsignal.io/briefs/2026-04-piwigo-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-27834","version":"https://jsonfeed.org/version/1.1"}