CVE-2025-62512
- Source
- https://cve.org/CVERecord?id=CVE-2025-62512
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-62512.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-62512
- Aliases
-
- GHSA-h4wx-7m83-xfxc
- Published
- 2026-02-24T16:43:28.919Z
- Modified
- 2026-02-25T08:54:33.251501Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Piwigo Vulnerable to User Enumeration via Password Reset Endpoint
- Details
-
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-204" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62512.json" }- References
Affected packages
Git / github.com/piwigo/piwigo
Affected versions
12.*
12.0.0RC1
12.0.0RC2
12.0.0beta1
12.0.0beta2
13.*
13.0.0RC1
13.0.0RC2
13.0.0RC3
13.0.0RC4
13.0.0beta1
13.0.0beta2
14.*
14.0.0RC1
14.0.0RC2
14.0.0beta1
14.0.0beta2
14.0.0beta3
15.*
15.0.0
15.0.0beta1
15.0.0beta2
15.0.0beta3
15.1.0
15.2.0
15.3.0
15.4.0
15.5.0
2.*
2.10.0RC1
2.10.0beta1
2.10.0beta2
2.11.0beta1
2.11.0beta2
2.11.0beta3
2.11.0beta4
2.8.0
2.8.0RC1
2.8.0RC2
2.8.1
2.8.2
2.9.0RC1
2.9.0RC2
2.9.0beta1
2.9.0beta2