CRITICAL🇵🇱 Wersja polska

CVE-2026-31896

CVSS 9.8v3.1pub. 2026-03-11upd. 2026-03-13

WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.

🤖 AI Analysis
How it works

The remover_produto_ocultar.php script uses the extract($_REQUEST) function to automatically create local variables based on user-submitted data. The values of these variables are then directly concatenated into an SQL query executed by PDO::query, without any sanitization or use of parameterized queries. An attacker – authenticated or bypassing authorization mechanisms – can inject arbitrary SQL commands in this way, such as time-based payload causing server response delay (Denial of Service).

Impact

An attacker can extract sensitive data from the application database or launch a DoS attack using time-based SQL injection technique. Due to the network vector without required privileges, the scale of potential exposure is very large.

Mitigation & patch

WeGIA should be updated to version 3.6.6 or later, in which the vulnerability has been fixed. Details are available in the vendor references: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7g3-87cr-8m83

Who is affected

WeGIA in versions before 3.6.6

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Wegia

    APP
    Wegia
    < 3.6.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiDoS
CWE
References

Related vulnerabilities

CVE-2026-33136CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu przez parametr sccd

CVE-2026-33135CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu JS przez parametr GET

CVE-2026-33134CRITICAL9.3PL ✓ten sam produkt

SQL Injection w WeGIA — kompromitacja bazy danych przez parametr id_produto

CVE-2026-28408CRITICAL9.8PL ✓ten sam produkt

WeGIA – pominięcie uwierzytelnienia w adicionar_tipo_docs_atendido.php

CVE-2026-28409CRITICAL10.0PL ✓ten sam produkt

WeGIA – RCE przez command injection w funkcji przywracania bazy danych