Main Vulnerability Database Vulnerabilities #VU129017

SQL injection in WeGIA - CVE-2025-26607

Published: February 16, 2025 / Updated: May 2, 2026

Vulnerability identifier: #VU129017

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-26607

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LabReDeS

Affected software:
WeGIA

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL queries.

The vulnerability exists due to SQL injection in the documento_excluir.php endpoint when handling a crafted id_funcionario GET parameter. A remote attacker can send a specially crafted request to execute arbitrary SQL queries.

The issue can be exploited without being logged in because execution continues after the redirect code following session validation.

How to mitigate CVE-2025-26607

Install security update from vendor's website.

Sources

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g6wj-3vm2-c59m

SQL injection in WeGIA - CVE-2025-26607

Detailed vulnerability description

How to mitigate CVE-2025-26607

Sources

Please verify you're human