Attack Chain

1. An authenticated administrator logs into the Piwigo web interface.
2. The administrator crafts a malicious HTTP POST request to the api.php endpoint, targeting the pwg.users.getList Web Service API method.
3. The malicious request includes the filter parameter containing a SQL injection payload. The payload is designed to exploit the lack of sanitization.
4. The Piwigo application receives the request and processes the pwg.users.getList API call.
5. The application concatenates the attacker-controlled filter parameter directly into a SQL query without proper escaping or sanitization.
6. The crafted SQL query is executed against the Piwigo database.
7. The injected SQL code performs unauthorized actions, such as extracting sensitive data, modifying database records, or executing system commands via SQL.
8. The attacker retrieves the results of the injected SQL query from the HTTP response.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-27834) in Piwigo versions before 16.3.0 can lead to complete compromise of the Piwigo installation. An attacker could potentially access sensitive data such as user credentials, private photos, and system configuration information. The attacker could also modify or delete data, disrupt service, or potentially gain unauthorized access to the underlying server. Given the administrator privilege required for exploitation, the impact is considered significant within the vulnerable Piwigo instance.

Recommendation

• Upgrade Piwigo to version 16.3.0 or later to patch CVE-2026-27834 (see references).
• Deploy the provided Sigma rule to detect exploitation attempts against the pwg.users.getList API endpoint.
• Monitor web server logs for suspicious POST requests to api.php containing unusual characters or SQL keywords in the filter parameter.