Arbitrary file upload in WeGIA - CVE-2025-22133
Published: January 7, 2025 / Updated: May 2, 2026
WeGIA
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in /WeGIA/html/socio/sistema/controller/controla_xlsx.php when handling file uploads. A remote user can upload a specially crafted .phar file to execute arbitrary code.
The uploaded file can then be executed by the server from a reachable file path.