CVE-2026-33133
Published: 20 March 2026
Summary
CVE-2026-33133 is a high-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of content validation in loadBackupDB() by requiring validation of SQL files from uploaded backup archives to block arbitrary SQL execution.
Requires timely flaw remediation, such as patching to WeGIA 3.6.7, to eliminate the SQL injection vulnerability introduced in commit 370104c.
Enforces least privilege to restrict backup restoration access to only essential high-privilege users, reducing the PR:H attack surface for crafting malicious archives.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQLi in public web app (T1190) directly allows arbitrary DB operations to create accounts (T1136) and modify passwords/credentials (T1098).
NVD Description
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create…
more
rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.
Deeper analysisAI
CVE-2026-33133 is a SQL injection vulnerability (CWE-89) affecting WeGIA, an open-source web manager for charitable institutions, specifically in versions 3.6.5 and 3.6.6. The issue resides in the loadBackupDB() function, which imports SQL files from uploaded backup archives without any content validation. This flaw, introduced in commit 370104c, has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
An attacker with high privileges (PR:H), such as an authenticated user with access to the backup restoration feature, can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious backup archive containing arbitrary SQL statements, the attacker can create rogue administrator accounts, modify existing passwords, or perform any database operation, potentially leading to full compromise of the application's database.
The vulnerability was addressed in WeGIA version 3.6.7, as detailed in the project's GitHub security advisory (GHSA-qqff-p8fc-hg5f), the corresponding pull request (https://github.com/LabRedesCefetRJ/WeGIA/pull/1459), and the release notes (https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7). Security practitioners should upgrade to 3.6.7 or later and review access controls for backup restoration functions.
Details
- CWE(s)