Piwigo Photo Gallery Application Vulnerability in Password Reset Feature
CVE-2025-62406

8.1HIGH

Key Information:

Vendor: Piwigo
Status: Piwigo
Vendor: CVE Published:; 18 November 2025

What is CVE-2025-62406?

Piwigo, an open source photo gallery application, has a vulnerability in its password reset functionality present in version 15.6.0. The application constructs password-reset URLs using the Host header from HTTP requests without proper validation. This oversight enables attackers to generate malicious password-reset links by modifying the hostname, potentially tricking users into submitting their credentials. This security flaw has been addressed in version 15.7.0, ensuring that hostname validation is implemented to safeguard against such attacks.

Affected Version(s)

Piwigo = 15.6.0

References

https://github.com/Piwigo/Piwigo/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/Piwigo/Piwigo/commit/9d2565465efc35709...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Oct 13, 2025

JSON