CVE-2026-27885
Piwigo: SQL Injection in Activity.getListPiwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.
We have discovered 1,948 live websites that are affected by CVE-2026-27885.
Affected Software
| Product | |
| Category | Photo Galleries |
| Vulnerable Domains | 1,948 live websites (79% of Piwigo install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 36 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Details
- Published - Apr 3, 2026
- Updated - Apr 6, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-27885 United States | 382 websites |
 Germany | 480 websites |
 France | 357 websites |
 Netherlands | 87 websites |
 Russia | 69 websites |
 GB | 63 websites |
 Switzerland | 61 websites |
 Czech Republic | 58 websites |
 Poland | 39 websites |
 Austria | 34 websites |
Website Distribution by TLD
Number of websites using CVE-2026-27885| .com | 457 websites |
| .de | 303 websites |
| .net | 191 websites |
| .fr | 148 websites |
| .org | 147 websites |
| .nl | 74 websites |
| .ru | 56 websites |
| .ch | 51 websites |
| .at | 47 websites |
| .cz | 38 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-27885
Top websites that are affected by CVE-2026-27885. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.de | Germany | ***,*** | |
| *******.fr | France | ***,*** | |
| ***********.net | United States | ***,*** | |
| *****.*****.net | United States | ***,*** | |
| *****.***********.de | Germany | ***,*** | |
| ****************.ae |  United Arab Emirates | ***,*** | |
| *********.com | United States | ***,*** | |
| *************.com | United States | ***,*** | |
| *****.com | United States | ***,*** | |
| ***********.org | United States | ***,*** |
FAQ
CVE-2026-27885 is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Piwigo
A total of 1,948 websites have been identified as vulnerable to CVE-2026-27885, based on global website indexing conducted by WebTechSurvey.
The Piwigo is affected by the CVE-2026-27885 vulnerability.
Piwigo versions up to 16.3 are vulnerable to CVE-2026-27885.
CVE-2026-27885 is resolved in version 16.3 of Piwigo.