CVE ID: CVE-2025-51586 Published at: 2025-09-04 Platform: PrestaShop (Core) Affected versions: from 1.7 to 8.2.2 - fixed in 8.2.3 Product author: PrestaShop Weakness: [CWE-359 - Exposure of Private Information ('Privacy Violation')] Severity: Moderate CVSS v3 base score: 3.7 (Low) Root cause: The template variables for the reset form were assigned without first verifying that the matched the employee's currently valid reset token. Proof of concept: An attacker can systematically enumerate all Back Office user emails by incrementing through values. Patch: Minimal logic hardening as merged upstream. Other recommendations: Enforce rate limiting on the password reset endpoint, install a security module for 2FA, keep your Back Office URL secret and rotate it if leaked, and keep your PrestaShop up to date.