Cyber Resilience

CVE-2025-26605

CriticalPublic PoC

Published: 18 February 2025

Published
18 February 2025
Modified
10 April 2025
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 67.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26605 is a critical-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-26605 is a SQL injection vulnerability (CWE-89) in the WeGIA open-source web manager application, which targets institutions and primarily serves Portuguese-language users. The flaw resides in the `deletar_cargo.php` endpoint, where insufficient input validation allows arbitrary SQL query execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An authorized attacker with low privileges, such as a legitimate user account, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables execution of arbitrary SQL queries, potentially granting access to sensitive information stored in the database, including unauthorized data extraction, modification, or deletion.

The GitHub security advisory (GHSA-6gv7-4j8g-cvgp) confirms the issue has been fixed in WeGIA version 3.2.13, urging all users to upgrade immediately. No workarounds are available.

EU & UK References

Vulnerability details

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, `deletar_cargo.php` endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries,…

more

allowing access to sensitive information. This issue has been addressed in version 3.2.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a publicly accessible web application directly enables T1190 (Exploit Public-Facing Application) via network-accessible arbitrary SQL execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26612Same product: Wegia Wegia
CVE-2026-35395Same product: Wegia Wegia
CVE-2025-24906Same product: Wegia Wegia
CVE-2025-27133Same product: Wegia Wegia
CVE-2025-22141Same product: Wegia Wegia
CVE-2026-33134Same product: Wegia Wegia
CVE-2025-23219Same product: Wegia Wegia
CVE-2025-24902Same product: Wegia Wegia
CVE-2025-24958Same product: Wegia Wegia
CVE-2026-31895Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.2.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validating information inputs against expected syntax and semantics, directly preventing SQL injection in the deletar_cargo.php endpoint due to insufficient input validation.

prevent

SI-2 mandates identifying, prioritizing, and remediating flaws, directly addressing the need to upgrade WeGIA to version 3.2.13 where this SQL injection vulnerability is fixed.

prevent

RA-5 requires vulnerability scanning of applications, which would detect and enable remediation of SQL injection flaws like CVE-2025-26605 prior to exploitation.

References