EUVD-2026-18870
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.
Analysis
Unauthenticated information disclosure in Piwigo photo gallery software (versions prior to 16.3.0) allows remote attackers to retrieve complete browsing history of all gallery visitors through exposed pwg.history.search API endpoint. The API method lacks mandatory admin-only access controls (CWE-862), enabling trivial privacy violation with CVSS 7.5 severity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable or restrict network access to the pwg.history.search API endpoint using web application firewall rules or reverse proxy configuration. Within 7 days: Upgrade Piwigo to version 16.3.0 or later if available; if unavailable, implement HTTP authentication or IP-based access controls on all Piwigo API endpoints. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today