Description

Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0.

INFO

Published Date :

2025-11-18T22:18:45.747Z

Last Modified :

2025-11-19T16:48:47.058Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62406 vulnerability.

Vendors Products
Piwigo
  • Piwigo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62406.

URL Resource
https://github.com/Piwigo/Piwigo/commit/9d2565465efc3570963ff431b45cad21610f6692 cve-icon cve-icon
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact