Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.
AnalysisAI
WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.
Technical ContextAI
WeGIA is a web-based management platform for charitable institutions developed by LabRedesCefetRJ (CPE: cpe:2.3:a:labredescefetrj:wegia). The vulnerability stems from improper input validation in the loadBackupDB() function, which processes SQL backup archives without sanitizing or validating their contents before execution. This is classified as CWE-89 (SQL Injection), a classic injection flaw where untrusted user-supplied data is concatenated into SQL queries without parameterization or escaping. The backup restoration mechanism inherently requires database-level privileges, but the lack of content validation treats uploaded archive contents as implicitly trusted, bypassing the need for traditional SQL injection authentication barriers. The affected versions (3.6.5 and 3.6.6) introduced this flaw in commit 370104c, suggesting a recent regression in input handling logic.
RemediationAI
Immediately upgrade WeGIA to version 3.6.7 or later, which patches the loadBackupDB() validation flaw. The fix is available at https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7 and was implemented via pull request https://github.com/LabRedesCefetRJ/WeGIA/pull/1459. Until patching is completed, restrict backup restoration functionality to administrative users only, disable automated backup imports from untrusted sources, and implement file integrity checks or GPG signature verification of backup archives before restoration. If deployment permits, place the application behind a web application firewall configured to detect and block suspicious SQL patterns in uploaded files.
Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13676