CVE-2026-31896

WeGIA · WeGIA

WeGIA contains a critical SQL injection vulnerability in the remover_produto_ocultar.php script due to improper handling of user-supplied request data.

Executive summary

A critical SQL injection vulnerability in WeGIA allows attackers to execute arbitrary database commands, leading to total data exfiltration or system disruption.

Vulnerability

The vulnerability stems from the use of extract($_REQUEST) followed by direct concatenation of variables into a SQL query. This allows an attacker to manipulate SQL queries, enabling unauthorized data access or denial-of-service via time-based attacks.

Business impact

The severity of this flaw is underscored by the 9.8 CVSS score, indicating critical risk. An attacker can bypass security controls to extract the entire contents of the database, potentially including sensitive donor or institutional information, or render the application unusable.

Remediation

Immediate Action: Update the WeGIA application to version 3.6.6 immediately to implement secure parameter binding and remove unsafe request handling.

Proactive Monitoring: Review database audit logs for anomalous query patterns, specifically looking for time-based delay commands or unexpected syntax.

Compensating Controls: Implement a Web Application Firewall (WAF) with SQL injection protection rules to block malicious requests targeting the vulnerable script.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

SQL injection is a high-impact vulnerability that requires immediate attention. Administrators must prioritize the update to version 3.6.6 to eliminate the insecure query execution path and protect institutional data.