CVE-2023-26876
Published: 21 April 2023
Summary
CVE-2023-26876 is a high-severity SQL Injection (CWE-89) vulnerability in Piwigo Piwigo. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Piwigo versions 13.5.0 and earlier contain an SQL injection vulnerability tracked as CVE-2023-26876. The flaw resides in the filter_user_id parameter accepted by the admin.php?page=history endpoint and is classified under CWE-89. With a CVSS 3.1 score of 8.8, the issue permits remote attackers to influence backend SQL queries and ultimately execute arbitrary code on the server.
An attacker who already possesses a low-privileged account with access to the administrative history page can supply a crafted filter_user_id value to trigger the injection. Successful exploitation grants full read, write, and execute capabilities on the affected database and host, satisfying the high impact ratings across confidentiality, integrity, and availability.
The current EPSS of 0.54 indicates moderate but non-negligible exploitation interest following disclosure, with no material upward trajectory observed after the initial peak. Public references include proof-of-concept code and a full-disclosure mailing-list post, while the vendor site offers no additional mitigation details in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30668
Vulnerability details
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.