Is PHP affected by CVE-2026-33991?

WeGIA charitable institution management software contains a SQL injection vulnerability in its tag deletion module that allows authenticated users to execute arbitrary database queries, potentially compromising confidential donor and beneficiary data, financial records, and system integrity.

CVE-2026-33991

EUVD-2026-16884 HIGH

2026-03-27 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 27, 2026 - 22:46 vuln.today

EUVD ID Assigned

Mar 27, 2026 - 22:46 euvd

EUVD-2026-16884

CVE Published

Mar 27, 2026 - 22:10 nvd

HIGH 8.8

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches the vulnerability.

Analysis

SQL injection in WeGIA charitable institution management software allows authenticated remote attackers to execute arbitrary database queries with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe use of extract($_REQUEST) combined with unsanitized SQL concatenation in the tag deletion module (deletar_tag.php), affecting all versions prior to 3.6.7. …

Remediation

Within 24 hours: Inventory all WeGIA deployments and document current version numbers; restrict administrative access to tag deletion functionality to essential personnel only. Within 7 days: Engage WeGIA vendor for patch availability status and timeline; implement network-level monitoring for suspicious SQL patterns in WeGIA application logs. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-33991 vulnerability details – vuln.today

Back

CVE-2026-33991

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-33991

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code