Cross-site scripting in WeGIA - CVE-2025-62178
Published: April 23, 2026
Vulnerability identifier: #VU127262
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-62178
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /html/atendido/cadastro_atendido_parentesco_pessoa_nova.php endpoint when handling the idatendido parameter in GET requests. A remote privileged user can send a specially crafted request to execute arbitrary JavaScript in the victim's browser.
User interaction is required to access the crafted URL.
How to mitigate CVE-2025-62178
Install security update from vendor's website.