Piwigo

This hub aggregates every CVE we track for Piwigo. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Piwigo.

• CVE-2026-27885Piwigo: SQL Injection in Activity.getList7.2Apr 3, 2026
• CVE-2026-27834Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter7.2Apr 3, 2026
• CVE-2026-27833Piwigo: Unauthenticated Information Disclosure via pwg.history.search API7.5Apr 3, 2026
• CVE-2026-27634Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter9.8Apr 3, 2026
• CVE-2025-62512Piwigo Vulnerable to User Enumeration via Password Reset Endpoint5.3Feb 24, 2026
• CVE-2024-48928Piwigo's secret key can be brute forced7.5Feb 24, 2026
• CVE-2025-62406Piwigo is vulnerable to one-click account takeover by modifying the password-reset link8.1Nov 18, 2025
• CVE-2024-43018Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.p...6.4Jul 29, 2025
• CVE-2024-52701A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page ...5.4Nov 20, 2024
• CVE-2024-48311Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.8.8Oct 31, 2024
• CVE-2024-46605A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...6.1Oct 16, 2024
• CVE-2024-46606A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...5.4Oct 16, 2024
• CVE-2024-46333An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter un...4.8Sep 27, 2024
• CVE-2024-28662A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.5.4Mar 13, 2024
• CVE-2024-26450An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cro...5.4Feb 28, 2024