VIR Vulnerability Intelligence Relay

CVE-2016-10105

critical
Published 2017-01-03 · Modified 2026-05-06
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31

Application impact
VendorProductVersionsFixed
piwigopiwigo{"endIncluding":"2.8.3"}

References

CWEs

CWE-200 CWE-284

Verify integrity in audit chain (admin only). AS-IS.