PatchSiren cyber security CVE debrief

CVE-2017-5608 Piwigo CVE debrief

CVE-2017-5608 is a cross-site scripting (XSS) issue in Piwigo’s image upload flow. According to the CVE record, versions before 2.8.6 could allow a remote attacker to inject arbitrary web script or HTML through a crafted image filename. The vulnerability is publicly documented in NVD and tied to a vendor fix in Piwigo 2.8.6.

Vendor: Piwigo
Product: CVE-2017-5608
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-28
Original CVE updated: 2026-05-13
Advisory published: 2017-01-28
Advisory updated: 2026-05-13

Who should care

Piwigo administrators, site owners, and application security teams should care most if their deployments accept user-uploaded images or display uploaded filenames in the web interface. Any environment running Piwigo 2.8.5 or earlier is in scope for review.

Technical summary

NVD lists the weakness as CWE-79 (improper neutralization of input during web page generation) and rates the issue with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The affected condition is specifically the image upload function, where a crafted filename can be reflected or rendered in a way that enables script or HTML injection. The supplied reference set includes the 2.8.6 release notes, a GitHub issue, and a fixing commit, indicating the issue was addressed in that release.

Defensive priority

Medium. The issue is remotely reachable but requires user interaction, and the expected impact is limited to confidentiality and integrity rather than availability. It is still important because XSS can enable account abuse, session theft, or unauthorized actions in the affected web application context.

Recommended defensive actions

Upgrade Piwigo to version 2.8.6 or later as indicated by the vendor release notes.
Verify that uploaded filenames are safely encoded before being displayed anywhere in the UI, including galleries, admin views, and confirmation pages.
Review any custom themes, plugins, or templates that render upload metadata or filenames and ensure they do not bypass output encoding.
Check whether users can upload images in your deployment and limit upload permissions where possible.
After upgrading, validate that filenames containing special characters are normalized or escaped in all user-facing views.

Evidence notes

The CVE record and NVD detail identify the issue as XSS in the image upload function of Piwigo before 2.8.6. NVD associates the vulnerability with CWE-79 and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The supplied references point to the vendor release notes for 2.8.6, a GitHub issue, and a GitHub commit, which together support the remediation timing and affected-version boundary.

Official resources

CVE-2017-5608 CVE record
CVE.org
CVE-2017-5608 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory

Publicly disclosed in the CVE/NVD record on 2017-01-28, with remediation referenced in Piwigo 2.8.6 release materials. Use the CVE publication date for timing context; do not infer a later issue date from the NVD modification timestamp.