EUVD-2026-18868Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.
AnalysisAI
SQL injection in Piwigo photo gallery application versions prior to 16.3.0 allows unauthenticated remote attackers to extract the entire database, including user password hashes, via unsanitized date filter parameters in the ws_std_image_sql_filter() function. The vulnerability stems from direct SQL concatenation of four date parameters without input validation or escaping. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Piwigo versions prior to 16.3.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents critical real-world risk based on multiple threat indicators. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies an internet-facing Piwigo installation running a vulnerable version and sends crafted HTTP requests to the web services API with malicious SQL payloads in date filter parameters such as f_min_date_available. By injecting UNION-based SQL queries or time-based blind injection techniques, the attacker extracts the entire database schema, followed by user account tables containing password hashes. … |
| Remediation | Upgrade immediately to Piwigo version 16.3.0 or later, which contains the fix for this SQL injection vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Piwigo instances and document current versions via administrative interface or version endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today