Platform
php
Component
wegia
Fixed in
3.6.7
CVE-2026-33134 describes a critical SQL Injection vulnerability discovered in WeGIA, a web manager for charitable institutions. This vulnerability allows an authenticated attacker to execute arbitrary SQL commands, potentially leading to complete database compromise. The issue affects versions of WeGIA up to and including 3.6.5. A patch is available in version 3.6.6.
The SQL Injection vulnerability in WeGIA allows an authenticated attacker to directly manipulate database queries. By injecting malicious SQL code through the idproduto GET parameter in the /html/matPat/restaurarproduto.php endpoint, an attacker can bypass security controls and execute arbitrary commands. This could result in the unauthorized retrieval, modification, or deletion of sensitive data, including donor information, financial records, and user credentials. Successful exploitation could also lead to privilege escalation and complete control over the WeGIA application and underlying database server. The potential for data exfiltration and disruption is significant.
CVE-2026-33134 was publicly disclosed on 2026-03-20. While no active exploitation campaigns have been publicly reported, the vulnerability's critical severity and ease of exploitation (requiring only authentication) make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33134 is to immediately upgrade WeGIA to version 3.6.6 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the /html/matPat/restaurarproduto.php endpoint to trusted users only. Web Application Firewalls (WAFs) can be configured to detect and block SQL Injection attempts targeting the idproduto parameter. Thorough input validation and sanitization should be implemented in future development to prevent similar vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple SQL statement through the id_produto parameter and verifying that it is properly sanitized.
Actualice WeGIA a la versión 3.6.6 o superior. Esta versión corrige la vulnerabilidad de inyección SQL. Se recomienda realizar una copia de seguridad antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33134 is a critical SQL Injection vulnerability affecting WeGIA versions 3.6.5 and below. An attacker can inject malicious SQL code to compromise the database.
You are affected if you are using WeGIA version 3.6.5 or earlier. Upgrade to version 3.6.6 to mitigate the risk.
Upgrade WeGIA to version 3.6.6 or later. As a temporary workaround, restrict access to the vulnerable endpoint and implement WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the WeGIA official website or security advisories for the latest information and updates regarding CVE-2026-33134.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.