What is the CVSS score of CVE-2025-50201?

CVE-2025-50201 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 30.1%.

Which versions of PHP are affected by CVE-2025-50201?

A critical unauthenticated remote code execution vulnerability in WeGIA (version <3.4.2) allows attackers to execute arbitrary commands on servers hosting charitable institution management systems.. A patch is available.

Is there a public PoC exploit available for CVE-2025-50201?

Yes, a public proof-of-concept exploit is available for CVE-2025-50201. Prioritise patching immediately. EPSS: 30.1%.

How to fix or mitigate CVE-2025-50201?

Within 24 hours: Identify all systems running WeGIA versions prior to 3.4.2 and isolate them or restrict network access to the /html/configuracao/debug_info.php endpoint. Within 7 days: Apply vendor patch to version 3.4.2 on all affected systems and verify successful deployment. Within 30 days: Conduct security audit of affected systems for indicators of compromise, review access logs for suspicious activity, and implement web application firewall rules to block exploitation attempts if any unpatched systems remain.

PHP CVE-2025-50201

Q: Is there a public PoC exploit available for CVE-2025-50201?

Yes, a public proof-of-concept exploit is available for CVE-2025-50201. Prioritise patching immediately. EPSS: 30.1%.

Q: How to fix or mitigate CVE-2025-50201?

Within 24 hours: Identify all systems running WeGIA versions prior to 3.4.2 and isolate them or restrict network access to the /html/configuracao/debug_info.php endpoint. Within 7 days: Apply vendor patch to version 3.4.2 on all affected systems and verify successful deployment. Within 30 days: Conduct security audit of affected systems for indicators of compromise, review access logs for suspicious activity, and implement web application firewall rules to block exploitation attempts if any unpatched systems remain.

EUVD-2025-18681 CRITICAL

OS Command Injection (CWE-78)

2025-06-19 security-advisories@github.com

PHP Command Injection Wegia

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18681

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

Patch released

Mar 15, 2026 - 00:08 nvd

Patch available

PoC Detected

Jul 02, 2025 - 16:21 vuln.today

Public exploit code

CVE Published

Jun 19, 2025 - 04:15 nvd

CRITICAL 9.8

DescriptionNVD

WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debug_info.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server's operating system. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user (www-data). This issue has been patched in version 3.4.2.

AnalysisAI

Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prior to 3.4.2, affecting the /html/configuracao/debug_info.php endpoint. An unauthenticated attacker can inject arbitrary operating system commands via the unsanitized 'branch' parameter, achieving remote code execution (RCE) with www-data user privileges. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an immediate and severe threat to all unpatched WeGIA deployments.

Technical ContextAI

The vulnerability is rooted in CWE-78 (Improper Neutralization of Special Elements used in an OS Command, also known as OS Command Injection). WeGIA's debug_info.php script concatenates user-supplied input from the 'branch' parameter directly into a shell command executed via functions like exec(), system(), passthru(), or similar OS command invocation mechanisms without proper input validation or parameterization. The application fails to employ command-level input sanitization techniques (such as escapeshellarg() in PHP, parameterized command execution, or strict allowlisting of branch values). This permits shell metacharacters (|, &, ;, `, $(), etc.) to break out of the intended command context and execute attacker-controlled payloads with the privilege level of the web server process (typically www-data on Linux/Unix systems).

RemediationAI

Immediate actions: (1) Upgrade WeGIA to version 3.4.2 or later—this is the canonical patch and should be deployed as emergency priority. (2) If immediate patching is not possible, implement network-level mitigations: restrict HTTP/HTTPS access to /html/configuracao/debug_info.php using WAF rules, firewall ACLs, or reverse proxy configurations to block public access (allowlist only trusted internal IPs). (3) Disable or remove the debug_info.php endpoint entirely if not in active use (recommend backing up for audit purposes first). (4) Deploy input validation at the WAF or proxy layer to reject requests with shell metacharacters in the 'branch' parameter (e.g., block |, &, ;, `, $, parentheses, backticks). (5) Review logs for evidence of exploitation (look for encoded/obfuscated payloads in HTTP parameters or system command logs). (6) Monitor process execution for suspicious child processes spawned by the web server. Contact WeGIA vendor support for official advisory links and patch delivery mechanisms.

CVE-2025-50201 vulnerability details – vuln.today

Back

PHP CVE-2025-50201

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code