CVE-2025-46828: Unauthenticated SQL Injection on get_socios.php endpoint

10.0 CVSS

Description

WeGIA is a web manager for charitable institutions. An unauthenticated SQL Injection vulnerability was identified in versions up to and including 3.3.0 in the endpoint `/html/socio/sistema/get_socios.php`, specifically in the query parameter. This issue allows attackers to inject and execute arbitrary SQL statements against the application's underlying database. As a result, it may lead to data exfiltration, authentication bypass, or complete database compromise. Version 3.3.1 fixes the issue.

Classification

CVE ID: CVE-2025-46828

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem Types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: LabRedesCefetRJ

Product: WeGIA

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.18% (probability of being exploited)

EPSS Percentile: 39.93% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46828
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5qw5-q55h-6qg7
https://github.com/LabRedesCefetRJ/WeGIA/commit/214dab59509bd3637f94adf381298c12da4ff80f

Timeline

2025-05-07 18:40:15 UTC
CVE

Unauthenticated SQL Injection on get_socios.php endpoint