Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
WeGIA Web Manager SQL Injection Allows Data Theft or Denial of Service
CVE-2026-31896
Summary
WeGIA's web manager before version 3.6.6 is vulnerable to a serious security flaw that allows attackers to access and steal sensitive data or disrupt the system. This affects charitable institutions that use WeGIA. Update to version 3.6.6 or later to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wegia | wegia | <= 3.6.6 | – |
Original title
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extra...
Original description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.
nvd CVSS3.1
9.8
Vulnerability type
CWE-89
SQL Injection
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026