CVE-2025-62512
Piwigo Vulnerable to User Enumeration via Password Reset Endpoint
In short
Piwigo's password reset feature leaks information about which usernames and emails exist in the system. An attacker can test many accounts without needing to log in, making it easier to target specific users.
Technical detail
The password reset endpoint (password.php?action=lost) in Piwigo 15.5.0 and earlier generates different responses for existing versus non-existent accounts, allowing unauthenticated enumeration of valid usernames and email addresses. This information disclosure (CWE-204) has a CVSS score of 5.5 and facilitates subsequent targeted attacks such as credential stuffing or phishing.
Summary generated and translated by AI from the official description.
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
Piwigo · PiwigoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →