Cross-site scripting in WeGIA - CVE-2025-53820
Published: April 30, 2026
Vulnerability identifier: #VU128695
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-53820
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
WeGIA
WeGIA
Software vendor:
LabReDeS
LabReDeS
Description
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser and disclose sensitive information.
The vulnerability exists due to cross-site scripting (XSS) in the index.php endpoint erro parameter when handling a crafted GET request. A remote attacker can supply a specially crafted erro parameter value to execute arbitrary script in the victim's browser and disclose sensitive information.
User interaction is required to load the crafted request.
Remediation
Install security update from vendor's website.