Authenticated SQL Injection Vulnerability in WeGIA by LabRedesCefetRJ
CVE-2026-33134

9.3CRITICAL

Key Information:

Vendor

Labredescefetrj

Status
Wegia
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33134?

WeGIA, a web management tool for charitable institutions, presents a vulnerability within versions 3.6.5 and earlier that exposes it to SQL Injection. This flaw exists in the 'restaurar_produto.php' endpoint, where an attacker with authenticated access can exploit the application. By manipulating the 'id_produto' GET parameter, the attacker can execute arbitrary SQL commands, resulting in potential full database access. The insecure handling of parameters occurs because the application directly integrates user-provided input into SQL queries without employing necessary safety measures such as sanitization or prepared statements. This serious security issue has been addressed in version 3.6.6.

Affected Version(s)

WeGIA < 3.6.6

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisor...
x_refsource_CONFIRM
https://github.com/LabRedesCefetRJ/WeGIA/pull/1457
x_refsource_MISC
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.6
x_refsource_MISC

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.