CVE-2025-62527 — Taguette password reset link poisoning

Description

Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been patched in version 1.5.0.

How to fix CVE-2025-62527

To remediate CVE-2025-62527, upgrade the affected package to a fixed version below.

—upgrade to 1.5.0 or later
—upgrade to 1.5.1 or later

Is CVE-2025-62527 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.5.0
from 0, < 1.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-62527
PATCHgithub.com/remram44/taguette
WEBgithub.com/pypa/advisory-database/tree/main/vulns/taguette/PYSEC-2025-187.yaml
WEBgithub.com/remram44/taguette/security/advisories/GHSA-7rc8-5c8q-jr6j