CVE-2026-33134

Published: Mar 20, 2026 Last Modified: Mar 20, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurar_produto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the id_produto GET parameter, leading to full database compromise. In the script /html/matPat/restaurar_produto.php, the application retrieves the id_produto parameter directly from the $_GET global array and interpolates it directly into two SQL query strings without any sanitization, type-casting (e.g., (int)), or using parameterized (prepare/execute) statements. This issue has been fixed in version 3.6.6.

89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Availability Authentication Access Control
Potential Impacts:
Execute Unauthorized Code Or Commands Read Application Data Gain Privileges Or Assume Identity Bypass Protection Mechanism Modify Application Data
Applicable Platforms
Languages: Not Language-Specific, SQL
Technologies: Database Server
Likelihood of Exploit: High
View CWE Details
https://github.com/LabRedesCefetRJ/WeGIA/pull/1457
https://github.com/LabRedesCefetRJ/WeGIA/pull/1457
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.6
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.6
https://github.com/LabRedesCefetRJ/WeGIA/security/advisorie…
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qg95-x997-66wq