Cyber Resilience

CVE-2026-33134

CriticalPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0030 21.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33134 is a critical-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33134 is an authenticated SQL injection vulnerability affecting WeGIA, an open-source web manager for charitable institutions, in versions 3.6.5 and prior. The flaw resides in the `/html/matPat/restaurar_produto.php` endpoint, where the `id_produto` GET parameter is pulled directly from the `$_GET` superglobal and interpolated unsanitized into two SQL query strings, without type casting, parameterization, or prepared statements. This enables arbitrary SQL command injection, potentially resulting in full database compromise. The issue is rated at CVSS 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and maps to CWE-89.

An authenticated attacker can exploit this vulnerability remotely over the network with low complexity by crafting malicious payloads in the `id_produto` parameter during requests to the vulnerable endpoint. Successful exploitation grants the ability to execute arbitrary SQL commands, allowing data exfiltration, modification, or deletion, up to complete database takeover depending on user privileges and database configuration.

The vulnerability has been addressed in WeGIA version 3.6.6, as detailed in the project's GitHub security advisory (GHSA-qg95-x997-66wq), release notes, and associated pull request #1457. Security practitioners should upgrade to 3.6.6 or later and review access controls to the affected endpoint, ensuring no legacy deployments remain exposed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurar_produto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the id_produto GET parameter, leading to…

more

full database compromise. In the script /html/matPat/restaurar_produto.php, the application retrieves the id_produto parameter directly from the $_GET global array and interpolates it directly into two SQL query strings without any sanitization, type-casting (e.g., (int)), or using parameterized (prepare/execute) statements. This issue has been fixed in version 3.6.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application endpoint directly enables initial access via exploitation of a public-facing app (T1190), allowing arbitrary SQL execution for database compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22141Same product: Wegia Wegia
CVE-2025-30365Same product: Wegia Wegia
CVE-2025-24905Same product: Wegia Wegia
CVE-2025-24901Same product: Wegia Wegia
CVE-2025-26612Same product: Wegia Wegia
CVE-2025-24902Same product: Wegia Wegia
CVE-2026-31895Same product: Wegia Wegia
CVE-2025-22140Same product: Wegia Wegia
CVE-2025-26605Same product: Wegia Wegia
CVE-2024-57034Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the unsanitized id_produto GET parameter to block arbitrary SQL injection in the restaurar_produto.php endpoint.

prevent

Mandates timely remediation of the SQL injection flaw by upgrading to WeGIA version 3.6.6 or later.

detect

Enables discovery of the SQL injection vulnerability through vulnerability scanning of the affected endpoint.

References