Skip to main content

Piwigo CVE-2026-27833

| EUVD-2026-18870 HIGH
Missing Authorization (CWE-862)
2026-04-03 GitHub_M
Authentication Bypass Piwigo
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:06 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
16.3.0
EUVD ID Assigned
Apr 03, 2026 - 22:15 euvd
EUVD-2026-18870
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:34 nvd
HIGH 7.5

DescriptionGitHub Advisory

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.

AnalysisAI

Unauthenticated information disclosure in Piwigo photo gallery software (versions prior to 16.3.0) allows remote attackers to retrieve complete browsing history of all gallery visitors through exposed pwg.history.search API endpoint. The API method lacks mandatory admin-only access controls (CWE-862), enabling trivial privacy violation with CVSS 7.5 severity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated request to pwg.history.search API
Exploit
Access unprotected history endpoint
Execution
Retrieve full browsing history of all gallery visitors
Impact
Disclose sensitive visitor activity data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Piwigo versions prior to 16.3.0 with the pwg.history.search API method enabled (default configuration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is HIGH despite no confirmed active exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker discovers a Piwigo gallery through internet scanning and identifies the API endpoint at /ws.php. Without authentication, the attacker crafts HTTP POST requests to pwg.history.search with parameters querying all visitor records, retrieving timestamped browsing logs including IP addresses, viewed images, session identifiers, and navigation patterns. …
Remediation Upgrade immediately to Piwigo version 16.3.0 or later, which includes the vendor-released patch addressing the privilege management flaw. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Piwigo instances in production and confirm current version numbers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-27833 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy