anonhaven
Ad

CVE-2024-48928

LOW CVSS 4.0: 2.7 EPSS 0.05%
Updated Feb 25, 2026
Piwigo
Parameter Value
CVSS 2.7 (LOW)
Affected Versions 14.0.0 — 14.5.0
Type CWE-330
Vendor Piwigo
Public PoC No

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key.

The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited.

The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key.

Version 15.0.0 contains a fix for the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-330

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Piwigo Piwigo
cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*
 14.0.0 <= 14.5.0

References 2

https://github.com/Piwigo/Piwigo/commit/552499e0533ce54b55f4304b41ca6cd7ccce51f8
security-advisories@github.com
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-hghg-37rg-7r42
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27885

Piwigo

7.2

CVE-2026-27834

Piwigo

7.2

CVE-2026-27833

Piwigo

7.5

CVE-2026-27634

Piwigo

8.7

CVE-2025-62512

Piwigo

5.5