CVE-2025-46828 | THREATINT

Description

WeGIA is a web manager for charitable institutions. An unauthenticated SQL Injection vulnerability was identified in versions up to and including 3.3.0 in the endpoint `/html/socio/sistema/get_socios.php`, specifically in the query parameter. This issue allows attackers to inject and execute arbitrary SQL statements against the application's underlying database. As a result, it may lead to data exfiltration, authentication bypass, or complete database compromise. Version 3.3.1 fixes the issue.

PUBLISHED Reserved 2025-04-30 | Published 2025-05-07 | Updated 2025-05-07 | Assigner GitHub_M

CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

< 3.3.1

affected

References

github.com/.../WeGIA/security/advisories/GHSA-5qw5-q55h-6qg7

github.com/...ommit/214dab59509bd3637f94adf381298c12da4ff80f

cve.org (CVE-2025-46828)

nvd.nist.gov (CVE-2025-46828)

Download JSON