{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/piwigo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-27885"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","piwigo"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePiwigo is an open-source photo gallery application. A SQL Injection vulnerability, identified as CVE-2026-27885, exists in Piwigo versions prior to 16.3.0. Specifically, the Activity List API endpoint is susceptible. An authenticated administrator, by crafting malicious SQL queries, can exploit this vulnerability to extract sensitive data, including user credentials, email addresses, and all stored content within the Piwigo database. Piwigo versions 16.3.0 and later contain a patch for this vulnerability. This allows attackers to potentially take over the entire Piwigo instance by exploiting the vulnerability and dumping the credentials of other administrators or users. The CVSS v3.1 base score is rated as 7.2 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to a Piwigo instance running a version prior to 16.3.0, through either brute-forcing credentials or compromising an existing admin account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL query designed to exploit the SQL Injection vulnerability in the Activity List API endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the vulnerable Activity List API endpoint with the crafted SQL payload embedded within the request parameters.\u003c/li\u003e\n\u003cli\u003eThe Piwigo application processes the request without proper sanitization, executing the malicious SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe database returns the results of the malicious query, which could include sensitive information such as user credentials, email addresses, and other stored data.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the database response and extracts the sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to elevate privileges or impersonate other users, potentially gaining full control of the Piwigo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, defaces the photo gallery, or performs other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27885 can lead to complete compromise of a Piwigo instance. An attacker could steal user credentials, modify or delete photos, and potentially use the compromised server as a staging point for further attacks. The number of affected installations is unknown, but any Piwigo instance running a version prior to 16.3.0 is vulnerable if an attacker can get administrative access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Piwigo installations to version 16.3.0 or later to patch CVE-2026-27885.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the Activity List API endpoint that contain potentially malicious SQL syntax to trigger the rule \u003ccode\u003eDetecting SQL Injection Attempts in Piwigo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on all user-supplied data to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T22:16:26Z","date_published":"2026-04-03T22:16:26Z","id":"/briefs/2026-04-piwigo-sqli/","summary":"CVE-2026-27885 is a SQL Injection vulnerability in Piwigo before version 16.3.0, affecting the Activity List API endpoint, allowing an authenticated administrator to extract sensitive data.","title":"Piwigo SQL Injection Vulnerability (CVE-2026-27885)","url":"https://feed.craftedsignal.io/briefs/2026-04-piwigo-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-27834"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["piwigo","sql-injection","cve-2026-27834"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePiwigo, an open-source photo gallery application, is vulnerable to SQL injection in versions before 16.3.0. The vulnerability resides in the \u003ccode\u003epwg.users.getList\u003c/code\u003e Web Service API method.  Specifically, the \u003ccode\u003efilter\u003c/code\u003e parameter is directly concatenated into a SQL query without sufficient sanitization. This allows an authenticated administrator to inject and execute arbitrary SQL commands on the Piwigo server.  Successful exploitation could lead to data exfiltration, modification, or complete compromise of the Piwigo instance.  Version 16.3.0 patches this vulnerability. The vulnerability was reported on April 3rd, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated administrator logs into the Piwigo web interface.\u003c/li\u003e\n\u003cli\u003eThe administrator crafts a malicious HTTP POST request to the \u003ccode\u003eapi.php\u003c/code\u003e endpoint, targeting the \u003ccode\u003epwg.users.getList\u003c/code\u003e Web Service API method.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the \u003ccode\u003efilter\u003c/code\u003e parameter containing a SQL injection payload. The payload is designed to exploit the lack of sanitization.\u003c/li\u003e\n\u003cli\u003eThe Piwigo application receives the request and processes the \u003ccode\u003epwg.users.getList\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe application concatenates the attacker-controlled \u003ccode\u003efilter\u003c/code\u003e parameter directly into a SQL query without proper escaping or sanitization.\u003c/li\u003e\n\u003cli\u003eThe crafted SQL query is executed against the Piwigo database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code performs unauthorized actions, such as extracting sensitive data, modifying database records, or executing system commands via SQL.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the results of the injected SQL query from the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-27834) in Piwigo versions before 16.3.0 can lead to complete compromise of the Piwigo installation. An attacker could potentially access sensitive data such as user credentials, private photos, and system configuration information. The attacker could also modify or delete data, disrupt service, or potentially gain unauthorized access to the underlying server. Given the administrator privilege required for exploitation, the impact is considered significant within the vulnerable Piwigo instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Piwigo to version 16.3.0 or later to patch CVE-2026-27834 (see references).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts against the \u003ccode\u003epwg.users.getList\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003eapi.php\u003c/code\u003e containing unusual characters or SQL keywords in the \u003ccode\u003efilter\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T22:16:26Z","date_published":"2026-04-03T22:16:26Z","id":"/briefs/2026-04-piwigo-sql-injection/","summary":"A SQL Injection vulnerability (CVE-2026-27834) exists in Piwigo versions prior to 16.3.0, allowing authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method.","title":"Piwigo SQL Injection Vulnerability (CVE-2026-27834)","url":"https://feed.craftedsignal.io/briefs/2026-04-piwigo-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-27833"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["piwigo","vulnerability","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePiwigo, an open-source photo gallery application, contains a vulnerability (CVE-2026-27833) affecting versions prior to 16.3.0. The vulnerability lies within the \u003ccode\u003epwg.history.search\u003c/code\u003e API method, which lacks an \u003ccode\u003eadmin_only\u003c/code\u003e access control. This oversight allows unauthenticated users to query and retrieve the browsing history of all gallery visitors. An attacker can leverage this flaw to gain insights into user behavior, potentially exposing sensitive information about their interests and activities within the photo gallery. Piwigo version 16.3.0 addresses this vulnerability by implementing the necessary authorization check.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Piwigo instance running a version prior to 16.3.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003epwg.history.search\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the vulnerable Piwigo server.\u003c/li\u003e\n\u003cli\u003eThe Piwigo server, lacking proper authorization checks, processes the request without authentication.\u003c/li\u003e\n\u003cli\u003eThe server retrieves the browsing history of all gallery visitors from the database.\u003c/li\u003e\n\u003cli\u003eThe server returns the browsing history data in the HTTP response to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the response and analyzes the browsing history data to identify user activities and interests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27833 allows unauthenticated attackers to access sensitive user browsing history within a Piwigo photo gallery. This can lead to a privacy breach, potentially exposing user interests, activities, and even personal information gleaned from their browsing patterns. The impact is limited to information disclosure as the attacker cannot modify data, but the privacy implications can be significant for users of affected Piwigo installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Piwigo installations to version 16.3.0 or later to patch CVE-2026-27833.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003epwg.history.search\u003c/code\u003e API endpoint, especially those lacking authentication, to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Piwigo History Search Access\u003c/code\u003e to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block unauthorized access to the \u003ccode\u003epwg.history.search\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T22:16:25Z","date_published":"2026-04-03T22:16:25Z","id":"/briefs/2026-04-piwigo-history-search/","summary":"Piwigo versions prior to 16.3.0 expose the full browsing history of gallery visitors to unauthenticated users via the pwg.history.search API method due to a missing authorization check.","title":"Piwigo Unauthenticated History Search Access","url":"https://feed.craftedsignal.io/briefs/2026-04-piwigo-history-search/"}],"language":"en","title":"CraftedSignal Threat Feed — Piwigo","version":"https://jsonfeed.org/version/1.1"}