CVE-2025-62512

MEDIUM EPSS 50.9%

Published Feb 24, 20264mo ago · Modified Feb 25, 20264mo ago

5.5 CVSS 4.0

Medium

Published Feb 24, 2026 4mo ago

Last Modified Feb 25, 2026 4mo ago

Description

Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.

CVSS Details

Base Score

5.5

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

50.9% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-204

Affected Products 1

Vendor	Product	Version	Range
piwigo	piwigo	*	≥15.0.0 – ≤15.5.0

References 1

github.com https://github.com/Piwigo/Piwigo/security/advisories/GHSA-h4wx-7m83-xfxc

ExploitMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.