SQL Injection in Piwigo

CVE-2026-27634

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are…

Vulnerability class: SQL Injection

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

Affected products

Piwigo — versions < 16.3.0

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq (x_refsource_CONFIRM)
https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08 (x_refsource_MISC)
https://piwigo.org/release-16.3.0 (x_refsource_MISC)