Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Piwigo Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2026-27634 - Vulnerability Database
Piwigo

Piwigo Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2026-27634

Critical
Reference: CVE-2026-27634
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-27634
Title: Piwigo Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability
Overview:

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0 the four date filter parameters (f_min_date_available f_max_date_available f_min_date_created f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database including user password hashes. This issue has been patched in version 16.3.0.