anonhaven
Ad

CVE-2026-27833

HIGH CVSS 3.1: 7.5 EPSS 0.04%
Updated Apr 09, 2026
Piwigo
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions before 16.3.0
Fixed In 16.3.0
Type CWE-862 (Missing Authorization)
Vendor Piwigo
Public PoC No

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-862 Missing Authorization

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Piwigo Piwigo
cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*
 16.3.0

References 3

https://github.com/Piwigo/Piwigo/commit/d05c16561ce3692ca922199f8c8d7b1a45893f1c
security-advisories@github.com
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-397m-gfhm-pmg2
security-advisories@github.com
https://piwigo.org/release-16.3.0
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27885

Piwigo

7.2

CVE-2026-27834

Piwigo

7.2

CVE-2026-27634

Piwigo

8.7