SQL injection in WeGIA - CVE-2025-26608
Published: February 16, 2025 / Updated: May 2, 2026
Vulnerability identifier: #VU129018
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-26608
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to SQL injection in the dependente_docdependente.php endpoint when handling POST requests containing the id_dependente or id_doc parameters. A remote attacker can send a specially crafted request to execute arbitrary SQL queries and disclose sensitive information.
The issue can be exploited without being logged in because execution continues after the redirect code following session validation.
How to mitigate CVE-2025-26608
Install security update from vendor's website.