Login Sign Up

CVE-2025-62406

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Piwigo allows attackers to send password reset emails containing malicious links to legitimate users. By manipulating the Host header in HTTP requests, attackers can redirect users to attacker-controlled sites when they click password reset links. All Piwigo installations running version 15.6.0 or earlier are affected.

💻 Affected Systems

Products:
  • Piwigo
Versions: 15.6.0 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Piwigo installations with password reset functionality enabled are vulnerable.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect users to phishing sites that capture credentials, leading to account takeover and potential data theft from the photo gallery.

🟠

Likely Case

Attackers send password reset emails with malicious links to users, potentially leading to credential harvesting if users click the links.

🟢

If Mitigated

With proper email security awareness training, users would recognize suspicious password reset emails and avoid clicking malicious links.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowing or guessing valid usernames/emails, but the attack itself is simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.7.0

Vendor Advisory: https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download Piwigo 15.7.0 from the official website. 3. Replace the existing installation files with the new version. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable password reset functionality

all

Temporarily disable the password reset feature to prevent exploitation while planning for patching.

Configure web server to validate Host headers

linux

Configure your web server (Apache/Nginx) to validate or restrict Host header values.

🧯 If You Can't Patch

  • Implement rate limiting on password reset requests to prevent mass exploitation
  • Monitor logs for unusual password reset activity patterns

🔍 How to Verify

Check if Vulnerable:

Check your Piwigo version by logging into the admin panel and viewing the version information.

Check Version:

Check the Piwigo admin dashboard or view the version in the application files

Verify Fix Applied:

After updating to 15.7.0, verify the version shows 15.7.0 in the admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Multiple password reset requests for different users from same IP
  • Password reset requests with unusual Host header values

Network Indicators:

  • HTTP requests to password reset endpoint with modified Host headers

SIEM Query:

source="piwigo_logs" AND (event="password_reset_request" AND count() > threshold)

📊 Metadata

CVE ID: CVE-2025-62406
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-640
EPSS Score: 0.06% exploit probability (17.5th percentile)
Published: November 18, 2025
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62406, you might also want to check these:

CVE-2023-7028 10.0

This critical vulnerability in GitLab allows attackers to hijack user accounts by intercepting passw...

Same vulnerability type (CWE-640)
CVE-2025-63314 10.0

CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive Acora CMS v10.7...

Same vulnerability type (CWE-640)
CVE-2021-22731 9.8

This vulnerability allows remote attackers to change passwords on Modicon Managed Switches without a...

Same vulnerability type (CWE-640)