Path traversal in WeGIA - CVE-2025-26615
Published: February 17, 2025 / Updated: May 2, 2026
Vulnerability identifier: #VU129026
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-26615
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the examples.php endpoint when processing the src parameter in POST requests. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue can expose config.php and other files outside the intended directory, and exposed database credentials may enable unauthorized access to the database.
How to mitigate CVE-2025-26615
Install security update from vendor's website.