CVE-2025-26605
Published: 18 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26605 is a SQL injection vulnerability (CWE-89) in the WeGIA open-source web manager application, which targets institutions and primarily serves Portuguese-language users. The flaw resides in the `deletar_cargo.php` endpoint, where insufficient input validation allows arbitrary SQL query execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authorized attacker with low privileges, such as a legitimate user account, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables execution of arbitrary SQL queries, potentially granting access to sensitive information stored in the database, including unauthorized data extraction, modification, or deletion.
The GitHub security advisory (GHSA-6gv7-4j8g-cvgp) confirms the issue has been fixed in WeGIA version 3.2.13, urging all users to upgrade immediately. No workarounds are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in a publicly accessible web application directly enables T1190 (Exploit Public-Facing Application) via network-accessible arbitrary SQL execution.