CVE-2025-62406
HIGHDescription
Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0.
Is your site exposed to CVE-2025-62406?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| piwigo | piwigo |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-62406? +
How severe is CVE-2025-62406? +
What products are affected by CVE-2025-62406? +
How do I check if I'm vulnerable to CVE-2025-62406? +
Related Vulnerabilities
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a `ClientPasswordReset` record already …
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server …
This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An …
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, …
An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in …
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account …