SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filteruserid parameter to the admin.php?page=history&filterimageid=&filteruserid endpoint.