Cross-site scripting in WeGIA - CVE-2025-67496
Published: April 23, 2026
Vulnerability identifier: #VU127293
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-67496
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /WeGIA/html/geral/configurar_senhas.php endpoint when rendering employee names inside the employee selection dropdown. A remote user can store a crafted employee name to execute arbitrary JavaScript in the victim's browser.
The issue is triggered when the password configuration page loads and displays previously stored employee data.
How to mitigate CVE-2025-67496
Install security update from vendor's website.