CVE-2026-33134
Published: 20 March 2026
Summary
CVE-2026-33134 is a critical-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the unsanitized id_produto GET parameter to block arbitrary SQL injection in the restaurar_produto.php endpoint.
Mandates timely remediation of the SQL injection flaw by upgrading to WeGIA version 3.6.6 or later.
Enables discovery of the SQL injection vulnerability through vulnerability scanning of the affected endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application endpoint directly enables initial access via exploitation of a public-facing app (T1190), allowing arbitrary SQL execution for database compromise.
NVD Description
WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurar_produto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the id_produto GET parameter, leading to…
more
full database compromise. In the script /html/matPat/restaurar_produto.php, the application retrieves the id_produto parameter directly from the $_GET global array and interpolates it directly into two SQL query strings without any sanitization, type-casting (e.g., (int)), or using parameterized (prepare/execute) statements. This issue has been fixed in version 3.6.6.
Deeper analysisAI
CVE-2026-33134 is an authenticated SQL injection vulnerability affecting WeGIA, an open-source web manager for charitable institutions, in versions 3.6.5 and prior. The flaw resides in the `/html/matPat/restaurar_produto.php` endpoint, where the `id_produto` GET parameter is pulled directly from the `$_GET` superglobal and interpolated unsanitized into two SQL query strings, without type casting, parameterization, or prepared statements. This enables arbitrary SQL command injection, potentially resulting in full database compromise. The issue is rated at CVSS 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and maps to CWE-89.
An authenticated attacker can exploit this vulnerability remotely over the network with low complexity by crafting malicious payloads in the `id_produto` parameter during requests to the vulnerable endpoint. Successful exploitation grants the ability to execute arbitrary SQL commands, allowing data exfiltration, modification, or deletion, up to complete database takeover depending on user privileges and database configuration.
The vulnerability has been addressed in WeGIA version 3.6.6, as detailed in the project's GitHub security advisory (GHSA-qg95-x997-66wq), release notes, and associated pull request #1457. Security practitioners should upgrade to 3.6.6 or later and review access controls to the affected endpoint, ensuring no legacy deployments remain exposed.
Details
- CWE(s)