Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.
Conclusion & alert: CVE-2023-44393 is rated High Exploit Risk (70.4/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.28%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 6.24% | 1.28% | -4.96% |
| 2 | 2026-04-19 | 4.70% | 6.24% | +1.55% |
| 3 | 2025-11-21 | — | 4.70% | — |
Full EPSS history (16 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.3 | 3.1 | CRITICAL |
|
2.8 | 5.8 | [email protected] |
| 6.1 | 3.1 | MEDIUM |
|
2.8 | 2.7 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| piwigo | piwigo | <= 13.8.0 | cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:* |
| piwigo | piwigo | 14.0.0 | cpe:2.3:a:piwigo:piwigo:14.0.0:beta1:*:*:*:*:*:* |
| piwigo | piwigo | 14.0.0 | cpe:2.3:a:piwigo:piwigo:14.0.0:beta2:*:*:*:*:*:* |
| piwigo | piwigo | 14.0.0 | cpe:2.3:a:piwigo:piwigo:14.0.0:beta3:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 | Patch |
| https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg | Exploit Third Party Advisory |