Aggregates CVE and security vulnerability intelligence across all gallery_project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk file inclusion, vendor risk path handling, and vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2012-4919 | Gallery Plugin1.4 for WordPress has a Remote File Include Vulnerability | [email protected] | 9.8 | 0.87% | 2020-01-22 | 2024-11-21 |
| CVE-2006-4030 | Unspecified vulnerability in the stats module in Gallery 1.5.1-RC2 and earlier allows remote attackers to obtain sensitive information via unspecified attack vectors, related to "two file exposure bugs." | [email protected] | 5.0 | 0.60% | 2006-08-16 | 2026-04-16 |
| CVE-2006-1696 | Cross-site scripting (XSS) vulnerability in Gallery before 1.5.3 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. | [email protected] | 4.3 | 0.51% | 2006-04-11 | 2026-04-16 |
| CVE-2006-1219 | Directory traversal vulnerability in Gallery 2.0.3 and earlier, and 2.1 before RC-2a, allows remote attackers to include arbitrary PHP files via ".." (dot dot) sequences in the stepOrder parameter to (1) upgrade/index.php or (2) install/index.php. | [email protected] | 5.0 | 10.28% | 2006-03-14 | 2026-04-16 |
| CVE-2006-1128 | Directory traversal vulnerability in the session handling class (GallerySession.class) in Gallery 2 up to 2.0.2 allows remote attackers to access and delete files by specifying the session in a cookie, which is used in constructing file paths before the session value is sanitized. | [email protected] | 6.4 | 11.03% | 2006-03-09 | 2026-04-16 |
| CVE-2006-1127 | Cross-site scripting (XSS) vulnerability in Gallery 2 up to 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For (X_FORWARDED_FOR) HTTP header, which is not properly handled when adding a comment to an album. | [email protected] | 4.3 | 5.66% | 2006-03-09 | 2026-04-16 |
| CVE-2006-1126 | Gallery 2 up to 2.0.2 allows remote attackers to spoof their IP address via a modified X-Forwarded-For (X_FORWARDED_FOR) HTTP header, which is checked by Gallery before other more reliable sources of IP address information, such as REMOTE_ADDR. | [email protected] | 6.4 | 0.76% | 2006-03-09 | 2026-04-16 |
| CVE-2006-0587 | Unspecified vulnerability in util.php in Gallery before 1.5.2-pl2 allows remote authenticated users with trick an owner into modifying stored album data and possibly executing arbitrary code via unspecified vectors involving a crafted link to a crafted file. | [email protected] | 6.5 | 1.74% | 2006-02-08 | 2026-04-16 |
| CVE-2006-0330 | Cross-site scripting (XSS) vulnerability in Gallery before 1.5.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving the user name (fullname). | [email protected] | 4.3 | 1.34% | 2006-01-21 | 2026-04-16 |
| CVE-2005-4023 | Unspecified vulnerability in the zipcart module in Gallery 2.0 before 2.0.2 allows remote attackers to read arbitrary files via unknown vectors. | [email protected] | 5.0 | 0.40% | 2005-12-05 | 2026-04-16 |
| CVE-2005-4021 | The installer for Gallery 2.0 before 2.0.2 stores the install log under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information. | [email protected] | 5.0 | 0.35% | 2005-12-05 | 2026-04-16 |
| CVE-2005-3251 | Directory traversal vulnerability in the gallery script in Gallery 2.0 (G2) allows remote attackers to read or include arbitrary files via ".." sequences in the g2_itemId parameter. | [email protected] | 6.4 | 1.60% | 2005-10-17 | 2026-04-16 |
| CVE-2005-2734 | Cross-site scripting (XSS) vulnerability in Gallery 1.5.1-RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag. | [email protected] | 4.3 | 0.80% | 2005-08-30 | 2026-04-16 |
| CVE-2005-2596 | User.php in Gallery, as used in Postnuke, allows users with any Admin privileges to gain access to all galleries. | [email protected] | 4.6 | 0.07% | 2005-08-17 | 2026-04-16 |
| CVE-2005-0222 | main.php in Gallery 2.0 Alpha allows remote attackers to gain sensitive information by changing the value of g2_subView parameter, which reveals the path in an error message. | [email protected] | 5.0 | 0.77% | 2005-05-02 | 2026-04-16 |
| CVE-2005-0220 | Cross-site scripting vulnerability in login.php in Gallery 1.4.4-pl2 allows remote attackers to inject arbitrary web script or HTML via the username field. | [email protected] | 5.0 | 0.60% | 2005-05-02 | 2026-04-16 |
| CVE-2005-0219 | Multiple cross-site scripting (XSS) vulnerabilities in Gallery 1.3.4-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the index field in add_comment.php, (2) set_albumName, (3) slide_index, (4) slide_full, (5) slide_loop, (6) slide_pause, (7) slide_dir fields in slideshow_low.php, or (8) username field in search.php. | [email protected] | 4.3 | 0.53% | 2005-05-02 | 2026-04-16 |
| CVE-2005-0221 | Cross-site scripting (XSS) vulnerability in login.php in Gallery 2.0 Alpha allows remote attackers to inject arbitrary web script or HTML via the g2_form[subject] field. | [email protected] | 4.3 | 0.87% | 2005-01-17 | 2026-04-16 |
| CVE-2004-1106 | Cross-site scripting (XSS) vulnerability in Gallery 1.4.4-pl3 and earlier allows remote attackers to execute arbitrary web script or HTML via "specially formed URLs," possibly via the include parameter in index.php. | [email protected] | 6.8 | 1.63% | 2005-01-10 | 2026-04-16 |
| CVE-2004-2124 | The register_globals simulation capability in Gallery 1.3.1 through 1.4.1 allows remote attackers to modify the HTTP_POST_VARS variable and conduct a PHP remote file inclusion attack via the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. | [email protected] | 5.0 | 6.36% | 2004-12-31 | 2026-04-16 |