CVE-2025-26611
Published: 18 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26611 is a SQL injection vulnerability in the WeGIA open-source web manager application, primarily targeted at Portuguese-language institutional users. The flaw resides in the `remover_produto.php` endpoint, where insufficient input validation allows attackers to inject and execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive information in the underlying database.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no authentication privileges, and no user interaction required. Any unauthenticated attacker with network access to a vulnerable WeGIA instance can leverage this to execute arbitrary SQL commands, enabling data exfiltration, modification, deletion, or escalation to full database compromise.
The GitHub Security Advisory (GHSA-q273-4vcj-qqp4) confirms the issue was addressed in WeGIA version 3.2.13, urging all users to upgrade immediately. No workarounds are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web endpoint directly enables T1190 for remote exploitation; arbitrary SQL execution facilitates T1213.006 for database data access, exfiltration, modification, and deletion.