Cyber Resilience

CVE-2026-31895

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 30.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31895 is a high-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31895 is a SQL injection vulnerability affecting WeGIA, an open-source web management system for charitable institutions, in versions prior to 3.6.6. The flaw resides in the file html/matPat/restaurar_produto.php, where the id_produto parameter from the $_GET superglobal is directly interpolated into SQL queries without parameterization or sanitization, enabling classic SQL injection attacks. This issue is classified under CWE-89 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant data compromise.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows arbitrary SQL query manipulation, potentially leading to high-impact confidentiality violations such as data exfiltration, integrity violations like unauthorized data modification or deletion, and availability disruptions such as denial of service through database corruption.

The GitHub Security Advisory (GHSA-m39r-p62f-vmqm) from the WeGIA repository confirms the vulnerability and states that it is fully remediated in version 3.6.6, recommending immediate upgrades for affected installations. Practitioners should verify deployments, apply the patch, and audit similar parameter handling in PHP applications to prevent recurrence.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_produto.php. The id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitization.…

more

This vulnerability is fixed in 3.6.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application (AV:N) directly enables exploitation of the web app for initial access and data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22141Same product: Wegia Wegia
CVE-2026-33134Same product: Wegia Wegia
CVE-2025-30365Same product: Wegia Wegia
CVE-2025-24905Same product: Wegia Wegia
CVE-2025-24901Same product: Wegia Wegia
CVE-2025-26612Same product: Wegia Wegia
CVE-2025-24902Same product: Wegia Wegia
CVE-2025-22140Same product: Wegia Wegia
CVE-2025-26605Same product: Wegia Wegia
CVE-2024-57034Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the id_produto GET parameter to block SQL injection attacks in the SQL queries.

prevent

Mandates risk-based remediation of the SQL injection flaw by upgrading to WeGIA version 3.6.6 where parameterization is implemented.

detect

Facilitates discovery of the SQL injection vulnerability through automated scanning of the web application.

References