SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the catfalse or cattrue parameter in the comments or status page to cat_options.php.