Photo Gallery Application Vulnerability in Piwigo by Piwigo
CVE-2024-48928

2.7LOW

Key Information:

Vendor: Piwigo
Status: Piwigo
Vendor: CVE Published:; 24 February 2026

What is CVE-2024-48928?

Piwigo, an open-source photo gallery application, is vulnerable due to the way it handles the secret_key configuration parameter during installation. In versions prior to 15.0.0, the key is generated using MD5(RAND()), which provides inadequate randomness (only 30 bits). This low entropy allows attackers to feasibly brute-force the secret key within approximately one hour. Compromised keys can lead to successful CSRF token validation, substantially increasing the risk of unauthorized access to user sessions and sensitive data. While the impact is somewhat limited due to additional security measures, such as incorporating user credentials into the auto login key and session keys, remediation is necessary, and users are strongly advised to upgrade to version 15.0.0 or later.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Piwigo >= 14.0.0, < 15.0.0

References

https://github.com/Piwigo/Piwigo/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/Piwigo/Piwigo/commit/552499e0533ce54b5...

x_refsource_MISC

CVSS V4

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Oct 9, 2024

JSON

Piwigo

What is CVE-2024-48928?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.