Piwigo.org

plg · 2026-05-03 16:52:53

New release 16.4.0 comes with 7 security issues fixed and 9 bugs also fixed.

Maybe because of recent AI tools, we have received (and continue to receive) several security advisories in the last weeks. Here are the first 7 security issues fixed. Special thanks to security reporters Jonathan from Helx.io, Leousum, sh4dowalker, maru1009, LipeOzyy and chakradhar1228.

Background image by MART PRODUCTION on Pexels

Have a good update!

Piwigo 16.4.0 release note

dummer-esel · 2026-05-03 22:13:49

Thank you! :-)

jessica1998 · 2026-05-04 00:51:18

For some reason, I still see an update notification when I log in to my Piwigo admin panel, but when I open the update page it says:

“Currently running version 16.2.0. You are running the latest version of Piwigo.”

So it looks like the notification may be stuck or cached (cleaned everything)

[Forum, topic 34818] Piwigo 16.2.0 shows update to 16.4.0 on Environment page, but Updates

EtienneG · 2026-05-04 15:38:43

thanks, I appreciate your concerns about security and the good maintenance of piwigo!!

after upgrading to 16.4 switching to PHP 8.5 i get the following error:

Deprecated: ord(): Providing a string that is not one byte long is deprecated. Use ord($str[0]) instead in /home/p-t6mte9/html/etienne-piwigo-fu381/include/functions_url.inc.php on line 262

after changing it to the suggested fix "Use ord($str[0])" everything seems to be fine again.

anybody else?

best,
etienne

pump_up_the_jam · 2026-05-05 09:35:40

There is a small error in the instructions for updating via docker. The line for the database dump should be

Code:

docker exec -it piwigo-db-1 mariadb-dump -u piwigodb_user -p"piwigodb" | tee db_dump.sql

as per the mariadb man page:

• --password[=password], -p[password]

The password to use when connecting to the server. If you use
the short option form (-p), you cannot have a space between
the option and the password. If you omit the password value
following the --password or -p option on the command line,
mariadb-dump prompts for one.

Specifying a password on the command line should be considered
insecure. You can use an option file to avoid giving the
password on the command line.

Was bashing my head against some walls before I found this :)

Dave S · 2026-05-05 16:56:28

Updating docker image from v16.3.0 to v16.4.0 or v16.4.0a has an error in the log:

2026-05-05T14:43:11.247103495Z find: ‘/usr/local/bin/scripts/’: No such file or directory</pre>

Container startup seems to stop when this file is not found - no other entries in the log after this and site sending a 502 bad gateway error.

reverted to v16.3.0 and working fine, no errors.

pump_up_the_jam · 2026-05-05 18:55:57

Dave S wrote:
Updating docker image from v16.3.0 to v16.4.0 or v16.4.0a has an error in the log:

2026-05-05T14:43:11.247103495Z find: ‘/usr/local/bin/scripts/’: No such file or directory</pre>

Container startup seems to stop when this file is not found - no other entries in the log after this and site sending a 502 bad gateway error.

reverted to v16.3.0 and working fine, no errors.

I also got 502 bad gateway after updating but being a long time Linux user but first time server owner, i rebooted the server and after that it was working. Horribly low tech solution, sorry.

Bramin · 2026-05-09 23:07:06

If someone knows the destination folder for the photos, they can see them. Doesn't Piwigo encrypt photos on the server, or am I just not able to enable it?

ddtddt · 2026-05-10 08:24:40

Hi,

That's a different topic. Please start a new thread.

Bramin wrote:
If someone knows the destination folder for the photos

If you go to a photo directory in your web browser, you'll be redirected to the Piwigo homepage

mfgpi · 2026-05-10 19:56:47

After update to 16.4.0 the database queries have increased a lot, 556% CPU.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1809 mysql 20 0 3221124 413404 26240 S 556.0 0.6 195:33.86 mariadbd

Is this expected? Will it be back to normal after a few days?

Last edited by mfgpi (2026-05-10 20:08:09)

RushLana · 2026-05-11 08:16:16

Hi,

After testing I think you made a mistake somewhere when configuring your database password.
The original command work with an interactive password prompt, the only it would work in your case is if your database password was "piwigodb" (which shouldn't be the case).

The no space after -p is only if you want to use non interactive mode to send your password.

pump_up_the_jam wrote:
There is a small error in the instructions for updating via docker. The line for the database dump should be
Code:
docker exec -it piwigo-db-1 mariadb-dump -u piwigodb_user -p"piwigodb" | tee db_dump.sql
as per the mariadb man page:

• --password[=password], -p[password]

The password to use when connecting to the server. If you use
the short option form (-p), you cannot have a space between
the option and the password. If you omit the password value
following the --password or -p option on the command line,
mariadb-dump prompts for one.

Specifying a password on the command line should be considered
insecure. You can use an option file to avoid giving the
password on the command line.
Was bashing my head against some walls before I found this :)

Last edited by RushLana (2026-05-11 09:29:54)

RushLana · 2026-05-11 09:39:33

Hello,

I couldn't reproduce your issue, this seems linked to a missing optional directory, did you remove the script mounting point from your compose.yaml ?

Dave S wrote:
Updating docker image from v16.3.0 to v16.4.0 or v16.4.0a has an error in the log:

2026-05-05T14:43:11.247103495Z find: ‘/usr/local/bin/scripts/’: No such file or directory</pre>

Container startup seems to stop when this file is not found - no other entries in the log after this and site sending a 502 bad gateway error.

reverted to v16.3.0 and working fine, no errors.

pump_up_the_jam · 2026-05-11 10:00:05

Aha, it was expecting the password to be input manually and "piwigodb" was referencing the database name? I tried a few times entering the password manually but it never accepted but it contains some strange characters and i was pasting it, maybe it escaped the input field somehow.

/Br

RushLana wrote:
Hi,

After testing I think you made a mistake somewhere when configuring your database password.
The original command work with an interactive password prompt, the only it would work in your case is if your database password was "piwigodb" (which shouldn't be the case).

The no space after -p is only if you want to use non interactive mode to send your password.
pump_up_the_jam wrote:
There is a small error in the instructions for updating via docker. The line for the database dump should be
Code:
docker exec -it piwigo-db-1 mariadb-dump -u piwigodb_user -p"piwigodb" | tee db_dump.sql
as per the mariadb man page:

• --password[=password], -p[password]

The password to use when connecting to the server. If you use
the short option form (-p), you cannot have a space between
the option and the password. If you omit the password value
following the --password or -p option on the command line,
mariadb-dump prompts for one.

Specifying a password on the command line should be considered
insecure. You can use an option file to avoid giving the
password on the command line.
Was bashing my head against some walls before I found this :)

plg · 2026-05-11 12:27:01

mfgpi wrote:
After update to 16.4.0 the database queries have increased a lot, 556% CPU.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1809 mysql 20 0 3221124 413404 26240 S 556.0 0.6 195:33.86 mariadbd

Is this expected? Will it be back to normal after a few days?

It is not expected.

What was your previous version of Piwigo, before you update to 16.4.0?

plg · 2026-05-11 12:31:04

Bramin wrote:
If someone knows the destination folder for the photos, they can see them.

I confirm what ddtddt says: knowing the destination folder does not give you access to photos it contains. For example, here is a "folder" containing photos https://demo1.piwigo.com/uploads/y/0/v/ … 023/09/19/ : can you tell me how many there are in this folder?

An exception exists: if you have added photos with the "sync" method and you didn't secure the directory.

Bramin wrote:
Doesn't Piwigo encrypt photos on the server, or am I just not able to enable it?

Piwigo does not encrypt photos.

Piwigo.org

Announcement

#1 2026-05-03 16:52:53

Piwigo 16.4.0 : because security matters

#2 2026-05-03 22:13:49

Re: Piwigo 16.4.0 : because security matters

#3 2026-05-04 00:51:18

Re: Piwigo 16.4.0 : because security matters

#4 2026-05-04 15:38:43

Re: Piwigo 16.4.0 : because security matters

#5 2026-05-05 09:35:40

Re: Piwigo 16.4.0 : because security matters

Code:

#6 2026-05-05 16:56:28

Re: Piwigo 16.4.0 : because security matters

#7 2026-05-05 18:55:57

Re: Piwigo 16.4.0 : because security matters

Dave S wrote:

#8 2026-05-09 23:07:06

Re: Piwigo 16.4.0 : because security matters

#9 2026-05-10 08:24:40

Re: Piwigo 16.4.0 : because security matters

Bramin wrote:

#10 2026-05-10 19:56:47

Re: Piwigo 16.4.0 : because security matters

#11 2026-05-11 08:16:16

Re: Piwigo 16.4.0 : because security matters

pump_up_the_jam wrote:

Code:

#12 2026-05-11 09:39:33

Re: Piwigo 16.4.0 : because security matters

Dave S wrote:

#13 2026-05-11 10:00:05

Re: Piwigo 16.4.0 : because security matters

RushLana wrote:

pump_up_the_jam wrote:

Code:

#14 2026-05-11 12:27:01

Re: Piwigo 16.4.0 : because security matters

mfgpi wrote:

#15 2026-05-11 12:31:04

Re: Piwigo 16.4.0 : because security matters

Bramin wrote:

Bramin wrote:

Board footer