CVE-2025-62527: Taguette password reset link poisoning

October 20, 2025 (updated October 21, 2025)

An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim.

References

github.com/advisories/GHSA-7rc8-5c8q-jr6j
github.com/remram44/taguette
github.com/remram44/taguette/security/advisories/GHSA-7rc8-5c8q-jr6j
gitlab.com/remram44/taguette/-/issues/331
nvd.nist.gov/vuln/detail/CVE-2025-62527

Code Behaviors & Features

Detect and mitigate CVE-2025-62527 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →