CVE-2025-26606
Published: 18 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26606 is a SQL injection vulnerability in the WeGIA open-source web manager application, which targets institutions and emphasizes Portuguese-language users. The flaw resides in the `informacao_adicional.php` endpoint, enabling attackers to execute arbitrary SQL queries and gain unauthorized access to sensitive information. It is associated with CWE-89 (SQL Injection) and CWE-284 (Improper Access Control), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability.
The vulnerability is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows arbitrary SQL query execution, potentially leading to full compromise of the database, including extraction, modification, or deletion of sensitive data.
The GitHub Security Advisory (GHSA-rxjr-cw9q-cwwg) confirms the issue is fixed in WeGIA version 3.2.13, urging all users to upgrade immediately, with no known workarounds available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app directly maps to T1190 for remote exploitation; arbitrary SQL queries enable/facilitate data access from databases (T1213.006).