CVE-2024-48928
Published: 24 February 2026
Summary
CVE-2024-48928 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Piwigo Piwigo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Key generation under controlled management uses approved random-bit sources rather than insufficiently random values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables brute-force of the low-entropy secret_key (used in CSRF tokens and ephemeral keys) due to insufficient randomness in generation.
NVD Description
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible…
more
to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue.
Deeper analysisAI
CVE-2024-48928 is a vulnerability in Piwigo, an open source photo gallery application for the web, affecting versions on the 14.x branch. During installation, the secret_key configuration parameter is generated as the MD5 hash of MySQL's RAND() function, which provides only 30 bits of randomness. This low entropy makes the secret key feasible to brute-force, as classified under CWE-330 (Use of Insufficiently Random Values). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact accessible over the network without authentication.
Any remote attacker can exploit this by brute-forcing all possible secret key values, a process that takes approximately one hour, using the CSRF token—which is partially constructed from the secret key—to verify success. Knowledge of the secret key enables generation of values for get_ephemeral_key. However, overall impact is limited, as the auto login key additionally incorporates the user's password atop the secret key, and the pwg token uses the user's session identifier in conjunction with it.
Piwigo version 15.0.0 addresses the issue with a fix. Additional details are available in the GitHub security advisory at https://github.com/Piwigo/Piwigo/security/advisories/GHSA-hghg-37rg-7r42 and the patching commit at https://github.com/Piwigo/Piwigo/commit/552499e0533ce54b55f4304b41ca6cd7ccce51f8.
Details
- CWE(s)