CVE-2025-62406HIGH 8.8EPSS p25.9%

CVE-2025-62406CVE-2025-62406

Description

Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 25.9% · 2026-06-18T12:00:27Z
Published2025-11-18
Last modified2025-11-25

Underlying weaknesses· 1

CWE-640

References

  1. https://github.com/Piwigo/Piwigo/commit/9d2565465efc3570963ff431b45cad21610f6692
  2. https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6
  3. https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6

1

TypeTargetConfidenceTier
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27634
CVE
CVE-2025-62709
CVE
CVE-2025-15030
CVE
CVE-2025-14975
CVE
CVE-2026-32616
CVE
CVE-2025-6409
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.