CVE-2026-33991
Published: 27 March 2026
Summary
CVE-2026-33991 is a high-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by requiring validation of inputs like the unsanitized $id_tag parameter before use in database queries.
SI-2 mandates remediation of the specific SQL injection flaw through patching to WeGIA version 3.6.7, which implements secure query handling.
SI-9 mitigates SQL injection by restricting inputs such as id_tag to expected types and formats, blocking common malicious payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in remotely accessible web app directly enables T1190 exploitation; arbitrary queries facilitate database data access (T1213.006) and stored data manipulation/deletion (T1565.001).
NVD Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches…
more
the vulnerability.
Deeper analysisAI
CVE-2026-33991 is a SQL injection vulnerability (CWE-89) affecting WeGIA, an open-source web manager for charitable institutions, in versions prior to 3.6.7. The issue resides in the file `html/socio/sistema/deletar_tag.php`, where line 14 uses `extract($_REQUEST)` to populate variables, and lines 16-17 directly concatenate the unsanitized `$id_tag` variable into SQL queries without prepared statements or input sanitization. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An attacker with low privileges, such as an authenticated user with network access to the application, can exploit this vulnerability by manipulating the `id_tag` parameter in requests to the `deletar_tag.php` endpoint. Successful exploitation enables arbitrary SQL query execution, potentially allowing the attacker to read sensitive data, modify database contents, or delete records, leading to high impacts on confidentiality, integrity, and availability.
The GitHub Security Advisory (GHSA-74xm-6wgf-x37j) for the WeGIA repository confirms that version 3.6.7 addresses the vulnerability by patching the insecure code in `deletar_tag.php`. Security practitioners should upgrade to WeGIA 3.6.7 or later and review access controls to the affected endpoint as an interim measure.
Details
- CWE(s)