PHP CVE-2026-40285

| EUVD-2026-23529 HIGH
SQL Injection (CWE-89)
2026-04-17 GitHub_M
PHP SQLi
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Apr 17, 2026 - 21:22 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 21:16 EUVD
Analysis Generated
Apr 17, 2026 - 21:11 vuln.today

DescriptionNVD

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(), and the attacker-controlled value is then interpolated directly into a raw SQL query, allowing any authenticated user to query the database under an arbitrary identity. Version 3.6.10 fixes the issue.

AnalysisAI

SQL injection in WeGIA charitable institution manager allows authenticated users to impersonate arbitrary identities and execute database queries with elevated privileges. The cpf_usuario parameter in dao/memorando/UsuarioDAO.php bypasses session-based identity controls through PHP's extract($_REQUEST) function, enabling any low-privileged authenticated user to query sensitive data or modify database contents as any other user, including administrators. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all WeGIA deployments and confirm versions in use; restrict database access permissions to the application service account (principle of least privilege) and disable any unused user accounts. Within 7 days: Contact WeGIA vendor for patch availability timeline and request emergency security update; if patch is released, apply version 3.6.10 or later to all instances. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40285 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy