Description
WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(), and the attacker-controlled value is then interpolated directly into a raw SQL query, allowing any authenticated user to query the database under an arbitrary identity. Version 3.6.10 fixes the issue.
Published: 2026-04-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling identity takeover
Action: Immediate Patch
AI Analysis

Impact

WeGIA, a web manager for charitable institutions, contains a SQL injection flaw in the dao/memorando/UsuarioDAO.php layer. The vulnerability arises because the cpf_usuario POST parameter overwrites the session stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(). The attacker-controlled value is then concatenated directly into a raw SQL query, allowing an authenticated user to query the database as any arbitrary user. This elevates privileges and can expose sensitive data, a classic injection weakness identified by CWE‑89.

Affected Systems

LabRedesCefetRJ’s WeGIA installations running any version prior to 3.6.10 are susceptible. The fix was applied in version 3.6.10, which strictly validates the user identifier and uses secure query construction.

Risk and Exploitability

The vulnerability scores a CVSS of 8.8, indicating high severity. No EPSS data is available and the issue is not listed in the CISA KEV catalog, but the lack of authentication or network restrictions in the description means that any logged‑in user on a compromised or trusted network can exploit the flaw. Exploitation requires only a valid session and the ability to send a crafted POST request with a cpf_usuario payload.

Generated by OpenCVE AI on April 18, 2026 at 09:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply WeGIA version 3.6.10 or later, which removes the vulnerability.
  • If an upgrade cannot be performed immediately, sanitize or validate the cpf_usuario POST parameter before it reaches the DAO layer to prevent session overwrite.
  • Refactor the query logic in UsuarioDAO.php to use prepared statements or parameterized queries, ensuring that user input cannot be injected into the SQL command.

Generated by OpenCVE AI on April 18, 2026 at 09:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(), and the attacker-controlled value is then interpolated directly into a raw SQL query, allowing any authenticated user to query the database under an arbitrary identity. Version 3.6.10 fixes the issue.
Title WeGIA has SQL Injection via Session Variable Override in DespachoControle.php
Weaknesses CWE-302
CWE-473
CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T20:25:33.185Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40285

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:34.267

Modified: 2026-04-17T21:16:34.267

Link: CVE-2026-40285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses