Description
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2.
Published: 2026-01-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing full database exfiltration and exposure of sensitive PII
Action: Immediate Patch
AI Analysis

Impact

An authenticated SQL Injection flaw exists in the Atendido_ocorrenciaControle endpoint of the WeGIA web manager, triggered via the id_memorando parameter. Because the attacker can insert arbitrary SQL, the flaw permits full database exfiltration, sensitive personal data exposure, and, in misconfigured setups, arbitrary file reads. The weakness is a classic injection error (CWE‑89).

Affected Systems

The vulnerability affects installations of WeGIA prior to version 3.6.2. The application is developed and distributed by LabRedesCefetRJ. Versions older than 3.6.2 are unpatched; the fix is included in release 3.6.2 and later.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity level, while the EPSS score of <1% suggests a low but non-zero probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need authenticated access to the application, likely by compromising legitimate user credentials, to supply malicious id_memorando values. Once active, the injection can lead to full data exfiltration or file reads if misconfigured database permissions exist.

Generated by OpenCVE AI on April 18, 2026 at 05:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.2 or later to apply the vendor‑supplied fix.
  • Review and enforce least‑privilege database permissions so the application interacts with the database using the minimal privileges required.
  • Implement logging and monitoring of the Atendido_ocorrenciaControle endpoint, and consider adding a web application firewall rule to block malformed id_memorando parameters to deter injection attempts.

Generated by OpenCVE AI on April 18, 2026 at 05:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
Vendors & Products Wegia
Wegia wegia

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2.
Title WeGIA has a Critical SQL Injection in Atendido_ocorrenciaControle via id_memorando parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:36:57.181Z

Reserved: 2026-01-15T15:45:01.955Z

Link: CVE-2026-23723

cve-icon Vulnrichment

Updated: 2026-01-16T21:36:52.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:50.163

Modified: 2026-01-30T18:28:51.853

Link: CVE-2026-23723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses