CVE-2026-27885 Overview
A SQL Injection vulnerability has been discovered in Piwigo, the popular open source photo gallery application for the web. Prior to version 16.3.0, the Activity List API endpoint (pwg.activity.getList) was vulnerable to SQL Injection attacks. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. The flaw stems from improper input validation of date parameters passed to the API endpoint.
Critical Impact
Authenticated administrators can exploit this SQL Injection vulnerability to extract sensitive database contents including user credentials, email addresses, and stored content, potentially leading to complete data breach and further system compromise.
Affected Products
- Piwigo versions prior to 16.3.0
- Piwigo Activity List API endpoint (pwg.activity.getList)
- Self-hosted Piwigo installations with administrative access
Discovery Timeline
- 2026-04-03 - CVE-2026-27885 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-27885
Vulnerability Analysis
This SQL Injection vulnerability exists in the Piwigo Activity List API endpoint (pwg.activity.getList). The vulnerable code fails to properly validate user-supplied date parameters (date_min and date_max) before incorporating them into SQL queries. An authenticated administrator can craft malicious input to manipulate the underlying database queries, enabling unauthorized data extraction.
The attack requires network access and authenticated administrator privileges. Once exploited, the attacker can achieve complete compromise of database confidentiality, integrity, and availability. This includes extracting user credentials, email addresses, and all stored photo gallery content.
Root Cause
The root cause of this vulnerability is the absence of input validation for the date_min and date_max parameters in the Activity List API. These parameters were directly incorporated into SQL queries without verifying they contained valid MySQL datetime formats, allowing attackers to inject arbitrary SQL code through these input fields.
Attack Vector
The attack vector involves an authenticated administrator sending specially crafted requests to the pwg.activity.getList API endpoint with malicious payloads in the date parameters. Since the endpoint did not validate that these parameters contained valid datetime strings, SQL injection payloads could be injected and executed against the database.
The fix introduces a validation function is_valid_mysql_datetime() to ensure date parameters conform to expected MySQL datetime format before processing:
{
global $conf;
- /* Test Lantency */
- // sleep(1);
+ foreach (array('date_min', 'date_max') as $datefield)
+ {
+ if (!empty($param[$datefield]) and !is_valid_mysql_datetime($param[$datefield]))
+ {
+ return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid '.$datefield);
+ }
+ }
$output_lines = array();
$current_key = '';
Source: GitHub Commit c172d284
Additionally, the API parameter definitions were hardened to use proper type constraints:
array(
'page' => array('default'=>null,
'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
- 'uid' => array('default'=>NULL,
- 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
+ 'offset' => array('default'=>0,
+ 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
+ 'uid' => array('default'=>NULL, 'type'=>WS_TYPE_ID),
+ 'date_min' => array('default'=>null),
+ 'date_max' => array('default'=>null),
+ 'id' => array('default'=>null, 'type'=>WS_TYPE_ID),
+ 'object' => array('default'=>null),
+ 'action' => array('default'=>null),
),
'Returns general informations.',
$ws_functions_root . 'pwg.php',
Source: GitHub Commit c172d284
Detection Methods for CVE-2026-27885
Indicators of Compromise
- Unusual or malformed requests to the /ws.php endpoint targeting pwg.activity.getList method
- API requests containing SQL syntax characters (single quotes, UNION, SELECT, etc.) in date_min or date_max parameters
- Unexpected database query patterns or errors in application logs
- Anomalous administrator account activity, especially repeated API calls with varying date parameters
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API requests
- Monitor web server access logs for requests to ws.php containing suspicious date parameter values
- Deploy database activity monitoring to identify abnormal query patterns or data extraction attempts
- Enable and review Piwigo application logs for API error messages related to parameter validation
Monitoring Recommendations
- Set up alerts for multiple failed API requests from administrator accounts
- Monitor database query logs for UNION-based or time-based blind SQL injection indicators
- Track unusual data access patterns that may indicate bulk data extraction
- Implement rate limiting on API endpoints to slow down automated exploitation attempts
How to Mitigate CVE-2026-27885
Immediate Actions Required
- Upgrade Piwigo to version 16.3.0 or later immediately
- Review administrator account access logs for suspicious activity
- Audit database for signs of unauthorized data access or extraction
- Consider rotating database credentials and user passwords as a precautionary measure
- Implement network-level access controls to restrict administrative API access
Patch Information
Piwigo has released version 16.3.0 which addresses this SQL Injection vulnerability. The patch introduces proper input validation for the date_min and date_max parameters using the is_valid_mysql_datetime() function. Users should upgrade immediately by following the official release notes available at Piwigo Release 16.3.0. The security fix is documented in the GitHub Security Advisory GHSA-wfmr-9hg8-jh3m.
Workarounds
- Restrict administrative access to trusted IP addresses only using firewall rules or web server configuration
- Implement a Web Application Firewall (WAF) with SQL injection detection rules for the Activity List API endpoint
- Disable or restrict access to the pwg.activity.getList API endpoint until patching is possible
- Monitor and audit all administrator account activity until the upgrade is completed
# Example: Restrict access to Piwigo admin API via nginx
location /ws.php {
# Allow only trusted admin IPs
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
# Pass to PHP handler
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
