CVE Tools

piwigo

Web & CMS PluginsFRoss-project

56

Cumulative CVEs

17

Monthly snapshots

#26

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting piwigo.

CVE-2026-27885Piwigo: SQL Injection in Activity.getList7.2Apr 3, 2026
CVE-2026-27834Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter7.2Apr 3, 2026
CVE-2026-27833Piwigo: Unauthenticated Information Disclosure via pwg.history.search API7.5Apr 3, 2026
CVE-2026-27634Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter9.8Apr 3, 2026
CVE-2025-62512Piwigo Vulnerable to User Enumeration via Password Reset Endpoint5.3Feb 24, 2026
CVE-2024-48928Piwigo's secret key can be brute forced7.5Feb 24, 2026
CVE-2025-62406Piwigo is vulnerable to one-click account takeover by modifying the password-reset link8.1Nov 18, 2025
CVE-2024-43018Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.p...6.4Jul 29, 2025
CVE-2024-52701A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page ...5.4Nov 20, 2024
CVE-2024-48311Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.8.8Oct 31, 2024
CVE-2024-46606A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...5.4Oct 16, 2024
CVE-2024-46605A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...6.1Oct 16, 2024
CVE-2024-46333An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter un...4.8Sep 27, 2024
CVE-2024-28662A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.5.4Mar 13, 2024
CVE-2024-26450An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cro...5.4Feb 28, 2024