CVE-2026-31895
Published: 11 March 2026
Summary
CVE-2026-31895 is a high-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of the id_produto GET parameter to block SQL injection attacks in the SQL queries.
Mandates risk-based remediation of the SQL injection flaw by upgrading to WeGIA version 3.6.6 where parameterization is implemented.
Facilitates discovery of the SQL injection vulnerability through automated scanning of the web application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application (AV:N) directly enables exploitation of the web app for initial access and data access.
NVD Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_produto.php. The id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitization.…
more
This vulnerability is fixed in 3.6.6.
Deeper analysisAI
CVE-2026-31895 is a SQL injection vulnerability affecting WeGIA, an open-source web management system for charitable institutions, in versions prior to 3.6.6. The flaw resides in the file html/matPat/restaurar_produto.php, where the id_produto parameter from the $_GET superglobal is directly interpolated into SQL queries without parameterization or sanitization, enabling classic SQL injection attacks. This issue is classified under CWE-89 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant data compromise.
An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows arbitrary SQL query manipulation, potentially leading to high-impact confidentiality violations such as data exfiltration, integrity violations like unauthorized data modification or deletion, and availability disruptions such as denial of service through database corruption.
The GitHub Security Advisory (GHSA-m39r-p62f-vmqm) from the WeGIA repository confirms the vulnerability and states that it is fully remediated in version 3.6.6, recommending immediate upgrades for affected installations. Practitioners should verify deployments, apply the patch, and audit similar parameter handling in PHP applications to prevent recurrence.
Details
- CWE(s)