How to fix CVE-2024-48928?

Within 24 hours: Inventory all Piwigo 14.x installations and assess whether they contain sensitive or customer data. Within 7 days: Apply the available vendor patch to all affected instances in development and non-production environments first. Within 30 days: Complete patching of all production Piwigo 14.x instances and regenerate secret keys on patched systems to invalidate any potentially compromised tokens.

Is Golang affected by CVE-2024-48928?

Piwigo 14.x installations use a weak cryptographic key (MD5-based) that could allow attackers to forge authentication tokens or session data, potentially compromising photo galleries and user accounts.

CVE-2024-48928

HIGH

2026-02-24 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch Released

Feb 25, 2026 - 16:53 nvd

Patch available

CVE Published

Feb 24, 2026 - 17:29 nvd

HIGH 7.5

Description

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue.

Analysis

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. [CVSS 7.5 HIGH]

Technical Context

Classified as CWE-330 (Use of Insufficiently Random Values). Affects Piwigo. Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto

Affected Products

Vendor: Piwigo. Product: Piwigo.

Remediation

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2024-48928 vulnerability details – vuln.today

Back

CVE-2024-48928

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-48928

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code