Skip to main content

Wegia EUVDEUVD-2026-13676

| CVE-2026-33133 HIGH
SQL Injection (CWE-89)
2026-03-20 GitHub_M
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.6.7
EUVD ID Assigned
Mar 20, 2026 - 11:00 euvd
EUVD-2026-13676
Analysis Generated
Mar 20, 2026 - 11:00 vuln.today
CVE Published
Mar 20, 2026 - 10:31 nvd
HIGH 7.2

DescriptionGitHub Advisory

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.

AnalysisAI

WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.

Technical ContextAI

WeGIA is a web-based management platform for charitable institutions developed by LabRedesCefetRJ (CPE: cpe:2.3:a:labredescefetrj:wegia). The vulnerability stems from improper input validation in the loadBackupDB() function, which processes SQL backup archives without sanitizing or validating their contents before execution. This is classified as CWE-89 (SQL Injection), a classic injection flaw where untrusted user-supplied data is concatenated into SQL queries without parameterization or escaping. The backup restoration mechanism inherently requires database-level privileges, but the lack of content validation treats uploaded archive contents as implicitly trusted, bypassing the need for traditional SQL injection authentication barriers. The affected versions (3.6.5 and 3.6.6) introduced this flaw in commit 370104c, suggesting a recent regression in input handling logic.

RemediationAI

Immediately upgrade WeGIA to version 3.6.7 or later, which patches the loadBackupDB() validation flaw. The fix is available at https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7 and was implemented via pull request https://github.com/LabRedesCefetRJ/WeGIA/pull/1459. Until patching is completed, restrict backup restoration functionality to administrative users only, disable automated backup imports from untrusted sources, and implement file integrity checks or GPG signature verification of backup archives before restoration. If deployment permits, place the application behind a web application firewall configured to detect and block suspicious SQL patterns in uploaded files.

More in Wegia

View all
CVE-2025-50201 CRITICAL POC
9.8 Jun 19

Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio

CVE-2025-27140 CRITICAL POC
10.0 Feb 24

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26613 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-55169 CRITICAL POC
10.0 Aug 12

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical

CVE-2025-30364 CRITICAL POC
10.0 Mar 27

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-46828 CRITICAL POC
10.0 May 07

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26612 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26617 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26611 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26609 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26608 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26607 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

Share

EUVD-2026-13676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy