Description
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.
Published: 2026-03-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary database manipulation via backup import
Action: Patch immediately
AI Analysis

Impact

The loadBackupDB function in WeGIA imports SQL files from uploaded backup archives without validating their contents. An attacker can embed arbitrary SQL statements that create rogue administrator accounts, change existing passwords, or perform any database operation. This flaw allows full compromise of the application’s data, affecting confidentiality, integrity, and availability.

Affected Systems

LabRedesCefetRJ’s WeGIA web manager, versions 3.6.5 and 3.6.6, is affected by this vulnerability. These releases lack content validation for backup imports. The issue is fixed in version 3.6.7 and later.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the EPSS score of less than 1% suggests low current exploit probability and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the upload of a malicious backup archive; an attacker can remotely inject arbitrary SQL through this path. With no safeguards, the attacker can gain full database control on the affected installations.

Generated by OpenCVE AI on March 20, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patched release 3.6.7 to all WeGIA installations
  • If the patch cannot be applied immediately, restrict the backup import feature to trusted users or temporarily disable it
  • Monitor logs for unauthorized account creation or unexpected database changes

Generated by OpenCVE AI on March 20, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*
cpe:2.3:a:wegia:wegia:3.6.6:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 20 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.
Title WeGIA has an arbitrary SQL execution vulnerability via crafted backup archive
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T01:59:18.010Z

Reserved: 2026-03-17T20:35:49.928Z

Link: CVE-2026-33133

cve-icon Vulnrichment

Updated: 2026-03-24T01:59:13.501Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T11:18:03.037

Modified: 2026-03-20T19:29:20.317

Link: CVE-2026-33133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:32Z

Weaknesses