PT-2025-47413 · Piwigo · Piwigo
Published
2025-11-18
·
Updated
2025-11-19
·
CVE-2025-62406
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Piwigo versions prior to 15.7.0
Description
Piwigo is a photo gallery application for the web. The password reset function in versions prior to 15.7.0 does not validate the hostname used in the password-reset URL, which is taken directly from the HTTP request’s
Host header. This allows an attacker to send a password-reset URL with a modified hostname to a user, potentially leading to account compromise if the attacker knows or guesses the user’s username or email address.Recommendations
Update to version 15.7.0 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Piwigo