Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.7
Piwigo Web Photo Gallery: Secret Key Easily Guessable
CVE-2024-48928
Summary
Piwigo versions 14.x have a weak secret key that can be guessed in under an hour. This could allow an attacker to access sensitive information or perform actions on your photo gallery. To fix this, update to version 15.0.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| piwigo | piwigo | > 14.0.0 , <= 14.5.0 | – |
Original title
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND...
Original description
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue.
nvd CVSS3.1
7.5
nvd CVSS4.0
2.7
Vulnerability type
CWE-330
Use of Insufficiently Random Values
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026