Vulnerability Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wegia | Wegia | < 3.6.6 |
Related Weaknesses (CWE)
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7g3-87cr-8m83ExploitVendor Advisory
FAQ
What is CVE-2026-31896?
CVE-2026-31896 is a vulnerability with a CVSS score of 9.8 (CRITICAL). WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract(...
How severe is CVE-2026-31896?
CVE-2026-31896 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-31896?
Check the references section above for vendor advisories and patch information. Affected products include: Wegia Wegia.