Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches the vulnerability.
Published: 2026-03-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection that permits unauthorized database access or manipulation
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the deletar_tag.php script of the WeGIA web manager. The code extracts request parameters directly and then concatenates the id_tag value into SQL statements without any sanitization or prepared statements, constituting a classic insecure direct injection vulnerability (CWE‑89). An attacker who can send crafted HTTP requests to this endpoint could modify the SELECT, UPDATE, or DELETE queries to read, alter, or delete arbitrary records, potentially exposing confidential information or compromising the integrity of the system.

Affected Systems

LabRedesCefetRJ WeGIA versions earlier than 3.6.7 are affected. The vulnerability exists in all releases prior to this patch, including 3.6.6 and older. Only the 3.6.7 release and subsequent builds contain the fix that removes the insecure code path.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, and the EPSS score of less than 1% indicates that exploitation is currently uncommon in the wild. The flaw is not listed in the CISA KEV catalog. The likely attack vector is via HTTP requests to the deletar_tag.php endpoint, where manipulating the id_tag parameter can achieve the injection. If the application lacks robust authentication or access controls, the risk escalates to unauthenticated exploitation, allowing a wide attack surface.

Generated by OpenCVE AI on April 1, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WeGIA application to version 3.6.7 or later, which includes the patch that removes the vulnerable code.

Generated by OpenCVE AI on April 1, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches the vulnerability.
Title WeGIA has SQL Injection in deletar_tag.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:51.018Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33991

cve-icon Vulnrichment

Updated: 2026-03-31T19:07:47.206Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T23:17:13.913

Modified: 2026-03-31T20:57:55.913

Link: CVE-2026-33991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:15Z

Weaknesses