Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise via SQL Injection
Action: Apply Patch
AI Analysis

Impact

The flaw is a classic SQL injection in WeGIA's DespachoDAO.php, where the id_memorando parameter is extracted from the request without validation and interpolated directly into a SQL query. An authenticated user can supply a malicious value and thereby execute arbitrary SQL commands against the underlying database. This can lead to data theft, alteration or deletion of records, and potentially provide access to sensitive information within the system.

Affected Systems

The vulnerability affects LabRedesCefetRJ's WeGIA web manager versions earlier than 3.6.9. The flaw resides in the DespachoDAO.php component of the application.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. Attackers only need valid user credentials to operate the web interface and can trigger the injection simply by sending a crafted id_memorando value. No additional privileges or network exposure are required.

Generated by OpenCVE AI on April 7, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.9 or later.
  • If an upgrade is not available, sanitize the id_memorando input and use parameterized queries to prevent injection.
  • Restrict user permissions so that only authorized roles can supply the id_memorando parameter.
  • Monitor database logs for suspicious queries and anomalous user activity.

Generated by OpenCVE AI on April 7, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9.
Title WeGIA has a SQL Injection in DespachoDAO.php via id_memorando parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:45:12.996Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35395

cve-icon Vulnrichment

Updated: 2026-04-07T13:45:01.790Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:21.450

Modified: 2026-04-07T15:17:43.230

Link: CVE-2026-35395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:06Z

Weaknesses