CVE-2026-27360 in Photo Gallery Plugin
Summary
by MITRE • 02/19/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
The CVE-2026-27360 vulnerability represents a critical cross-site scripting flaw within the 10Web Photo Gallery plugin, specifically impacting versions up to and including 1.8.37. This vulnerability falls under the CWE-79 category, which classifies it as a classic stored cross-site scripting vulnerability that occurs during web page generation. The flaw enables attackers to inject malicious scripts into web pages that are subsequently executed by other users who view the affected gallery, creating a persistent security risk that can affect multiple users simultaneously.
The technical implementation of this vulnerability stems from inadequate input sanitization and output encoding within the photo gallery plugin's web page generation process. When users submit content through the gallery interface, such as image captions, titles, or other metadata fields, the plugin fails to properly neutralize potentially malicious input before storing and rendering it in the generated web pages. This improper handling allows attackers to inject script tags or other malicious code that gets stored in the database and executed whenever the gallery page is accessed by other users. The vulnerability is classified as stored XSS because the malicious payload persists in the application's database rather than being reflected in a single request.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with significant privileges to compromise user sessions and potentially escalate their access. Attackers can leverage this vulnerability to steal user cookies, session tokens, and other sensitive information, enabling them to impersonate legitimate users and gain unauthorized access to administrative functions. The vulnerability affects all users who interact with the photo gallery, making it particularly dangerous for websites that host user-generated content or have multiple contributors. According to ATT&CK framework category T1531, this vulnerability enables credential access through malicious script injection, while T1190 represents the initial access vector through web application attacks.
Mitigation strategies for CVE-2026-27360 should prioritize immediate patching of the affected plugin to version 1.8.38 or later, which contains the necessary input validation and output encoding fixes. Organizations should implement comprehensive input validation mechanisms that sanitize all user-supplied data before storage, ensuring that potentially dangerous characters and script tags are properly escaped or removed. Additionally, implementing Content Security Policy headers can provide an additional layer of protection by restricting script execution within the gallery pages. Security monitoring should include regular vulnerability scanning of web applications to detect similar input sanitization flaws, while user education about the risks of submitting untrusted content remains crucial. The vulnerability demonstrates the importance of proper input/output encoding practices as outlined in OWASP Top 10 and the need for regular security audits of third-party plugins and web applications.