CVE-2025-62406

8.1 HIGH
Published: November 18, 2025 Modified: November 25, 2025
View on NVD

Description

Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/Piwigo/Piwigo/commit/9d2565465efc3570963ff431b45cad21610f6692
Source: security-advisories@github.com
Patch
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6
Source: security-advisories@github.com
Exploit Vendor Advisory
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
0.0%
10th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-640

Affected Vendors

piwigo

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3