Main Vulnerability Database Vulnerabilities #VU129016

SQL injection in WeGIA - CVE-2025-26606

Published: February 16, 2025 / Updated: May 2, 2026

Vulnerability identifier: #VU129016

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-26606

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LabReDeS

Affected software:
WeGIA

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL queries and disclose sensitive information.

The vulnerability exists due to SQL injection in the informacao_adicional.php endpoint when handling the id_descricao parameter in requests. A remote attacker can send a specially crafted request to execute arbitrary SQL queries and disclose sensitive information.

The issue can be exploited without being logged in because execution continues after the redirect following session validation.

How to mitigate CVE-2025-26606

Install security update from vendor's website.

SQL injection in WeGIA - CVE-2025-26606

Detailed vulnerability description

How to mitigate CVE-2025-26606

Sources

Please verify you're human