{"id":"CVE-2024-43018","details":"Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\\ws_functions\\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list.","modified":"2026-04-10T05:16:14.451540Z","published":"2025-07-29T20:15:26.410Z","references":[{"type":"FIX","url":"https://github.com/Piwigo/Piwigo/issues/2197"},{"type":"EVIDENCE","url":"https://github.com/inesmarcal/CVE-2024-43018"},{"type":"EVIDENCE","url":"https://github.com/joaosilva21/CVE-2024-43018"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/piwigo/piwigo","events":[{"introduced":"0"},{"last_affected":"9b256a97e7cfd8b8b38fa7a3cd3929c738d632c9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"13.8.0"}]}}],"versions":["12.0.0RC1","12.0.0RC2","12.0.0beta1","12.0.0beta2","13.0.0","13.0.0RC1","13.0.0RC2","13.0.0RC3","13.0.0RC4","13.0.0beta1","13.0.0beta2","13.1.0","13.2.0","13.3.0","13.4.0","13.5.0","13.6.0","13.7.0","13.8.0","2.10.0RC1","2.10.0beta1","2.10.0beta2","2.11.0beta1","2.11.0beta2","2.11.0beta3","2.11.0beta4","2.8.0RC1","2.8.0RC2","2.9.0RC1","2.9.0RC2","2.9.0beta1","2.9.0beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43018.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}]}