{"id":"CVE-2017-9426","details":"ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection via the imageId parameter in a facetag.changeTag or facetag.listTags action.","modified":"2026-04-02T00:20:17.632192Z","published":"2018-02-26T04:29:00.273Z","references":[{"type":"ADVISORY","url":"http://touhidshaikh.com/blog/poc/facetag-extension-piwigo-sqli/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/42094/"},{"type":"EVIDENCE","url":"https://www.youtube.com/watch?v=MVCe_zYtFsQ"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pommes-frites/piwigo-facetag","events":[{"introduced":"0"},{"last_affected":"53b6711d387a6ce28e9fae84c0d3cbda7dcc7c08"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.0.3"}]}}],"versions":["v0.0.1","v0.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9426.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}