Back to search
CVE-2025-62512
Published: Feb 24, 2026
Modified: Feb 27, 2026
PUBLISHED
Description
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
| Vendor | Product | Versions |
|---|---|---|
Piwigo | Piwigo | affected = 15.5.0 |
Weaknesses (CWE)
References
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-h4wx-7m83-xfxc
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now