From 74edc3999569e412f6ec206f0ae3d16e73b37719 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Wed, 4 Feb 2026 15:49:43 +0100
Subject: [PATCH] fixes #2519 prevent CSRF on album notification form

---
 admin/album_notification.php                         | 1 +
 admin/themes/default/template/album_notification.tpl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/admin/album_notification.php b/admin/album_notification.php
index 3a56bac19..f9899f00b 100644
--- a/admin/album_notification.php
+++ b/admin/album_notification.php
@@ -33,6 +33,7 @@ $page['cat'] = $category['id'];
 // info by email to an access granted group of category informations
 if (isset($_POST['submitEmail']))
 {
+  check_pwg_token();
   set_make_full_url();
 
   $img = array();
diff --git a/admin/themes/default/template/album_notification.tpl b/admin/themes/default/template/album_notification.tpl
index b97fa3304..a984e4b70 100644
--- a/admin/themes/default/template/album_notification.tpl
+++ b/admin/themes/default/template/album_notification.tpl
@@ -61,6 +61,7 @@ span.errors {
 {/html_style}
 
 <form action="{$F_ACTION}" method="post" id="categoryNotify">
+<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
 
 <fieldset id="emailCatInfo">
   <legend><span class="icon-mail-1 icon-green"></span>{'Send mail to users'|@translate}</legend>