Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_produto.php. The id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitization. This vulnerability is fixed in 3.6.6.
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise
Action: Immediate Patch
AI Analysis

Impact

WeGIA, a web manager for charitable institutions, contains a SQL injection flaw in the restaurar_produto.php file. The id_produto value from the $_GET request is inserted directly into a SQL query without any parameterization or sanitization, allowing an attacker to manipulate the query argument. This flaw is a classic example of CWE-89 and could enable unauthorized reading, modification, or deletion of product data, and potentially broader database compromise if the attacker can elevate their privileges in the resulting SQL context.

Affected Systems

The vulnerability exists in all releases of WeGIA prior to version 3.6.6, including 3.6.5 and earlier. The vendor identified the affected product as LabRedesCefetRJ:WeGIA.

Risk and Exploitability

The CVSS score for this issue is 8.8, indicating a high severity level. The EPSS score is less than 1%, suggesting that, at present, exploitation is unlikely but still possible in environments that expose the vulnerable endpoint. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would likely occur remotely through a crafted URL containing a malicious id_produto value, though the specific authentication state required is not detailed in the source information.

Generated by OpenCVE AI on March 17, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch to upgrade to WeGIA version 3.6.6 or later.

Generated by OpenCVE AI on March 17, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Wed, 11 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_produto.php. The id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitization. This vulnerability is fixed in 3.6.6.
Title WeGIA has a SQL Injection via Direct Query Interpolation in restaurar_produto.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T20:27:50.897Z

Reserved: 2026-03-09T21:59:02.688Z

Link: CVE-2026-31895

cve-icon Vulnrichment

Updated: 2026-03-11T20:27:46.042Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:15.633

Modified: 2026-03-13T20:06:31.840

Link: CVE-2026-31895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:23Z

Weaknesses