CVE-2024-43018
Published: 29 July 2025
Summary
CVE-2024-43018 is a medium-severity SQL Injection (CWE-89) vulnerability in Piwigo Piwigo. Its CVSS base score is 6.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54833
Vulnerability details
Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used…
more
for searching users in advanced way in /admin.php?page=user_list.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in user list query (ws_user_getList) enables account discovery (T1087), system information discovery via DB queries (T1082), collection of data from databases (T1213.006), and exploitation of the remote web service for potential code execution and information disclosure (T1210).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.