Cross-site scripting in WeGIA - CVE-2025-53935
Published: April 30, 2026
Vulnerability identifier: #VU128686
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-53935
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
WeGIA
WeGIA
Software vendor:
LabReDeS
LabReDeS
Description
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting (XSS) in the personalizacao_selecao.php endpoint when processing the id parameter in POST requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
User interaction is required for the reflected payload to be executed in the victim's browser.
Remediation
Install security update from vendor's website.