CVE-2026-31896
Published: 11 March 2026
Summary
CVE-2026-31896 is a critical-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation of the specific SQL injection flaw fixed in WeGIA version 3.6.6.
Prevents SQL injection by enforcing validation and sanitization of untrusted inputs from $_REQUEST before concatenation into SQL queries.
Mitigates exploitation through boundary protections like web application firewalls configured with SQL injection detection rules as an interim measure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web endpoint directly enables T1190 (Exploit Public-Facing Application) for initial access; arbitrary SQL execution on the backend database directly enables T1213.006 (Data from Information Repositories: Databases) for data collection or DoS.
NVD Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL…
more
query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.
Deeper analysisAI
CVE-2026-31896 is a critical SQL injection vulnerability (CWE-89) affecting WeGIA, an open-source web manager for charitable institutions, in versions prior to 3.6.6. The issue resides in the remover_produto_ocultar.php script, which uses extract($_REQUEST) to populate local variables and then directly concatenates them into a SQL query executed via PDO::query, enabling arbitrary SQL command execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation without authentication or user interaction.
An unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the affected endpoint, allowing execution of arbitrary SQL commands. Successful exploitation enables exfiltration of sensitive data from the database or induction of time-based delays for denial-of-service, as shown in a proof-of-concept. The lack of input sanitization or parameterization in the query construction makes it straightforward for attackers to inject payloads.
The GitHub Security Advisory (GHSA-w7g3-87cr-8m83) confirms the vulnerability is fixed in WeGIA version 3.6.6, recommending immediate upgrades to mitigate the risk. Practitioners should verify deployments, review access logs for suspicious activity, and implement web application firewalls with SQL injection rules as interim protections until patching is complete.
Details
- CWE(s)