CVE-2025-62512
MEDIUM NUCLEIPiwigo 15.0.0-15.5.0 - Unauthenticated User Enumeration via Password Reset Endpoint
Title source: llmExploitation Summary
CVE-2025-62512 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.
Nuclei Templates (1)
Piwigo - User Enumeration via Password Reset
MEDIUMVERIFIEDby DhiyaneshDk
Shodan:
http.html:"Piwigo"
FOFA:
body="Piwigo"
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-h4wx-7m83-xfxc
Scores
CVSS v3
5.3
EPSS
0.0204
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-204
Status
published
Products (1)
piwigo/piwigo
15.0.0 - 15.5.0
Published
Feb 24, 2026
Tracked Since
Feb 25, 2026