SQL injection in WeGIA - CVE-2025-26617
Published: February 17, 2025 / Updated: April 30, 2026
Vulnerability identifier: #VU128719
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-26617
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the historico_paciente.php endpoint when handling the id_fichamedica GET parameter. A remote attacker can send a specially crafted request to execute arbitrary SQL queries and disclose sensitive information.
The endpoint code continues executing after redirect logic, which allows exploitation even when the requester is not logged in.
How to mitigate CVE-2025-26617
Install security update from vendor's website.