1037 matches found
CVE-2025-62512
Piwigo 15.x (tested up to 15.5.0) is affected by CVE-2025-62512 through its password reset endpoint password.php?action=lost, which leaks whether a username/email exists by returning distinct messages for valid vs invalid accounts. The vulnerability enables unauthenticated user enumeration and ha...
CVE-2025-62512 Piwigo Vulnerable to User Enumeration via Password Reset Endpoint
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at...
CVE-2025-62512 Piwigo Vulnerable to User Enumeration via Password Reset Endpoint
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at...
CVE-2025-62512 Piwigo Vulnerable to User Enumeration via Password Reset Endpoint
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at...
CVE-2024-48928 Piwigo's secret key can be brute forced
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secretkey configuration parameter is set to MD5RAND in MySQL. However, RAND only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is...
CVE-2024-48928 Piwigo's secret key can be brute forced
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secretkey configuration parameter is set to MD5RAND in MySQL. However, RAND only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is...
CVE-2024-48928 Piwigo's secret key can be brute forced
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secretkey configuration parameter is set to MD5RAND in MySQL. However, RAND only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is...
CVE-2024-48928
Piwigo CVE-2024-48928 affects 14.x branch installations where secret_key is set to MD5(RAND()) in MySQL. RAND() offers about 30 bits of entropy, making brute-forcing feasible within roughly an hour. The CSRF token partially derives from the secret_key, allowing verification of a brute-force attem...
Piwigo 安全特征问题漏洞
Piwigo is a web-based open-source image library software developed by Piwigo contributors. This software includes functions such as image management, image classification, and permission management. Versions of Piwigo prior to 15.0.0 had security vulnerabilities. These vulnerabilities stemmed fro...
Piwigo 安全漏洞
Piwigo is a web-based open-source image library software developed by Piwigo contributors. This software includes features such as image management, image classification, and permission management. Versions of Piwigo starting from 15.5.0 and earlier, including 15.x, have security vulnerabilities...
PT-2026-21769
Name of the Vulnerable Software and Affected Versions Piwigo versions 14.x Description Piwigo is a photo gallery application for the web. In versions on the 14.x branch, the secret key configuration parameter is set to MD5RAND during installation when using MySQL. The RAND function has limited...
PT-2026-21770
Name of the Vulnerable Software and Affected Versions Piwigo versions prior to 15.5.0 Description Piwigo is a photo gallery application for the web. The password reset functionality allows an unauthenticated attacker to determine if a given username or email address exists in the system. The...
CVE-2009-4039
Cross-site scripting XSS vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2021-27973
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages...
CVE-2021-31783
showdefault.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check...
CVE-2016-10513
Cross Site Scripting XSS exists in Piwigo before 2.8.3 via a crafted search expression to include/functionssearch.inc.php...
CVE-2016-10514
urlcheckformat in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring...
CVE-2022-26267
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenanceactions.php...
CVE-2022-26266
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php...
📄 Piwigo 13.6.0 SQL Injection
Piwigo version 13.6.0 suffers from a remote SQL injection vulnerability. Exploit Title: Piwigo 13.6.0 - SQL Injection Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/Piwigo/Piwigo Software Link: https://github.com/Piwigo/Piwigo Version: 13.6.0 Tested on: Windows CV...