Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
XooGallery: Unsecured Photo IDs Expose Sensitive Data
CVE-2019-25522
Summary
Attackers can access sensitive data or manipulate database contents by sending malicious GET requests to XooGallery's photo.php page. This vulnerability affects all users, and no login is required. To protect your data, update XooGallery to the latest version or consider replacing it with a different photo gallery solution.
Original title
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers...
Original description
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers can send GET requests to photo.php with malicious photo_id values to extract sensitive data, bypass authentication, or modify database contents.
nvd CVSS3.1
8.2
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026