Tinywebgallery

tinywebgallery

CVEs (13)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-53939 1Tinywebgallery 1Tinywebgallery Dec 24, 2025 Dec 18, 2025 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with scrip...Show more TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages.Show less
CVE-2023-53922 1Tinywebgallery 1Tinywebgallery Dec 24, 2025 Dec 17, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded sys...Show more TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL.Show less
CVE-2013-2631 1Tinywebgallery 1Tinywebgallery Nov 21, 2024 Feb 3, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure vulnerability which allows remote attackers to obtain sensitive information through the parameters "twg_browserx" and "twg_browsery" in the page imag...Show more TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure vulnerability which allows remote attackers to obtain sensitive information through the parameters "twg_browserx" and "twg_browsery" in the page image.php.Show less
CVE-2012-2931 1Tinywebgallery 1Tinywebgallery Nov 21, 2024 Jan 9, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file.
CVE-2017-16635 1Tinywebgallery 1Tinywebgallery May 13, 2026 Nov 6, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject...Show more In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.Show less
CVE-2012-2932 1Tinywebgallery 1Tinywebgallery May 6, 2026 Apr 24, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the selitems[] parameter in a (1) copy, (2) chmod, or (3) arch ac...Show more Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the selitems[] parameter in a (1) copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/index.php.Show less
CVE-2012-2930 1Tinywebgallery 1Tinywebgallery May 6, 2026 Apr 24, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers.php via the user parameter to admin/index.php.Show less
CVE-2012-5347 1Tinywebgallery 1Tinywebgallery Apr 29, 2026 Oct 9, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 TinyWebGallery 1.8.3 allows remote attackers to execute arbitrary code via shell metacharacters in the command parameter to (1) inc/filefunctions.inc or (2) info.php.
CVE-2011-3810 1Tinywebgallery 1Tinywebgallery Apr 29, 2026 Sep 24, 2011 N/A· v4 N/A· v3 5.0 MEDIUM· v2 TinyWebGallery (TWG) 1.8.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by i_frames/i_register.php.
CVE-2009-1911 2Claudio Klingler Tinywebgallery 2Quixplorer Tinywebgallery Apr 23, 2026 Jun 4, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Directory traversal vulnerability in .include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 1.7.6 and earlier, allows remote attackers to include and execute arbi...Show more Directory traversal vulnerability in .include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 1.7.6 and earlier, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to admin/index.php.Show less
CVE-2007-4958 1Tinywebgallery 1Tinywebgallery Apr 23, 2026 Sep 18, 2007 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) 1.6.3.4 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) index.php, (2) i_frames/i_login.php, and (3) i_frames/...Show more Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) 1.6.3.4 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) index.php, (2) i_frames/i_login.php, and (3) i_frames/i_top_tags.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.Show less
CVE-2006-4166 1Tinywebgallery 1Tinywebgallery Apr 16, 2026 Aug 16, 2006 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in TinyWebGallery 1.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the image parameter to (1) image.php or (2) image.php2.
CVE-2006-1802 1Tinywebgallery 1Tinywebgallery Apr 16, 2026 Apr 18, 2006 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in index.php in TinyWebGallery 1.3 and 1.4 allows remote attackers to inject arbitrary web script or HTML via the twg_album parameter.