https://feed.craftedsignal.io/tags/piwigo/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 03 Apr 2026 22:16:26 +0000https://feed.craftedsignal.io/briefs/2026-04-piwigo-sqli/Fri, 03 Apr 2026 22:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-piwigo-sqli/CVE-2026-27885 is a SQL Injection vulnerability in Piwigo before version 16.3.0, affecting the Activity List API endpoint, allowing an authenticated administrator to extract sensitive data.Piwigo is an open-source photo gallery application. A SQL Injection vulnerability, identified as CVE-2026-27885, exists in Piwigo versions prior to 16.3.0. Specifically, the Activity List API endpoint is susceptible. An authenticated administrator, by crafting malicious SQL queries, can exploit this vulnerability to extract sensitive data, including user credentials, email addresses, and all stored content within the Piwigo database. Piwigo versions 16.3.0 and later contain a patch for this vulnerability. This allows attackers to potentially take over the entire Piwigo instance by exploiting the vulnerability and dumping the credentials of other administrators or users. The CVSS v3.1 base score is rated as 7.2 (HIGH).

Attack Chain

1. An attacker gains administrative access to a Piwigo instance running a version prior to 16.3.0, through either brute-forcing credentials or compromising an existing admin account.
2. The attacker crafts a malicious SQL query designed to exploit the SQL Injection vulnerability in the Activity List API endpoint.
3. The attacker sends a request to the vulnerable Activity List API endpoint with the crafted SQL payload embedded within the request parameters.
4. The Piwigo application processes the request without proper sanitization, executing the malicious SQL query against the database.
5. The database returns the results of the malicious query, which could include sensitive information such as user credentials, email addresses, and other stored data.
6. The attacker captures the database response and extracts the sensitive information.
7. The attacker uses the extracted credentials to elevate privileges or impersonate other users, potentially gaining full control of the Piwigo instance.
8. The attacker exfiltrates sensitive data, defaces the photo gallery, or performs other malicious actions.

Impact

Successful exploitation of CVE-2026-27885 can lead to complete compromise of a Piwigo instance. An attacker could steal user credentials, modify or delete photos, and potentially use the compromised server as a staging point for further attacks. The number of affected installations is unknown, but any Piwigo instance running a version prior to 16.3.0 is vulnerable if an attacker can get administrative access.

Recommendation

• Upgrade Piwigo installations to version 16.3.0 or later to patch CVE-2026-27885.
• Monitor web server logs for suspicious requests to the Activity List API endpoint that contain potentially malicious SQL syntax to trigger the rule Detecting SQL Injection Attempts in Piwigo.
• Implement strict input validation and sanitization on all user-supplied data to prevent SQL injection vulnerabilities.

]]>highadvisorysql-injectionweb-applicationpiwigohttps://feed.craftedsignal.io/briefs/2026-04-piwigo-sql-injection/Fri, 03 Apr 2026 22:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-piwigo-sql-injection/A SQL Injection vulnerability (CVE-2026-27834) exists in Piwigo versions prior to 16.3.0, allowing authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method.Piwigo, an open-source photo gallery application, is vulnerable to SQL injection in versions before 16.3.0. The vulnerability resides in the pwg.users.getList Web Service API method. Specifically, the filter parameter is directly concatenated into a SQL query without sufficient sanitization. This allows an authenticated administrator to inject and execute arbitrary SQL commands on the Piwigo server. Successful exploitation could lead to data exfiltration, modification, or complete compromise of the Piwigo instance. Version 16.3.0 patches this vulnerability. The vulnerability was reported on April 3rd, 2026.

Attack Chain

1. An authenticated administrator logs into the Piwigo web interface.
2. The administrator crafts a malicious HTTP POST request to the api.php endpoint, targeting the pwg.users.getList Web Service API method.
3. The malicious request includes the filter parameter containing a SQL injection payload. The payload is designed to exploit the lack of sanitization.
4. The Piwigo application receives the request and processes the pwg.users.getList API call.
5. The application concatenates the attacker-controlled filter parameter directly into a SQL query without proper escaping or sanitization.
6. The crafted SQL query is executed against the Piwigo database.
7. The injected SQL code performs unauthorized actions, such as extracting sensitive data, modifying database records, or executing system commands via SQL.
8. The attacker retrieves the results of the injected SQL query from the HTTP response.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-27834) in Piwigo versions before 16.3.0 can lead to complete compromise of the Piwigo installation. An attacker could potentially access sensitive data such as user credentials, private photos, and system configuration information. The attacker could also modify or delete data, disrupt service, or potentially gain unauthorized access to the underlying server. Given the administrator privilege required for exploitation, the impact is considered significant within the vulnerable Piwigo instance.

Recommendation

• Upgrade Piwigo to version 16.3.0 or later to patch CVE-2026-27834 (see references).
• Deploy the provided Sigma rule to detect exploitation attempts against the pwg.users.getList API endpoint.
• Monitor web server logs for suspicious POST requests to api.php containing unusual characters or SQL keywords in the filter parameter.

]]>highadvisorypiwigosql-injectioncve-2026-27834https://feed.craftedsignal.io/briefs/2026-04-piwigo-history-search/Fri, 03 Apr 2026 22:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-piwigo-history-search/Piwigo versions prior to 16.3.0 expose the full browsing history of gallery visitors to unauthenticated users via the pwg.history.search API method due to a missing authorization check.Piwigo, an open-source photo gallery application, contains a vulnerability (CVE-2026-27833) affecting versions prior to 16.3.0. The vulnerability lies within the pwg.history.search API method, which lacks an admin_only access control. This oversight allows unauthenticated users to query and retrieve the browsing history of all gallery visitors. An attacker can leverage this flaw to gain insights into user behavior, potentially exposing sensitive information about their interests and activities within the photo gallery. Piwigo version 16.3.0 addresses this vulnerability by implementing the necessary authorization check.

Attack Chain

1. An unauthenticated attacker identifies a Piwigo instance running a version prior to 16.3.0.
2. The attacker crafts a malicious HTTP request targeting the pwg.history.search API endpoint.
3. The attacker sends the crafted HTTP request to the vulnerable Piwigo server.
4. The Piwigo server, lacking proper authorization checks, processes the request without authentication.
5. The server retrieves the browsing history of all gallery visitors from the database.
6. The server returns the browsing history data in the HTTP response to the attacker.
7. The attacker parses the response and analyzes the browsing history data to identify user activities and interests.

Impact

Successful exploitation of CVE-2026-27833 allows unauthenticated attackers to access sensitive user browsing history within a Piwigo photo gallery. This can lead to a privacy breach, potentially exposing user interests, activities, and even personal information gleaned from their browsing patterns. The impact is limited to information disclosure as the attacker cannot modify data, but the privacy implications can be significant for users of affected Piwigo installations.

Recommendation

• Upgrade all Piwigo installations to version 16.3.0 or later to patch CVE-2026-27833.
• Monitor web server logs for requests to the pwg.history.search API endpoint, especially those lacking authentication, to detect potential exploitation attempts. Deploy the Sigma rule Detect Piwigo History Search Access to identify suspicious activity.
• Implement a Web Application Firewall (WAF) rule to block unauthorized access to the pwg.history.search API endpoint.

]]>mediumadvisorypiwigovulnerabilityinformation-disclosure