Cyber Resilience

CVE-2026-35395

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 31.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35395 is a high-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35395 is a SQL injection vulnerability (CWE-89) in WeGIA, a web manager for charitable institutions (Web gerenciador para instituições assistenciais), affecting versions prior to 3.6.9. The issue occurs in the dao/memorando/DespachoDAO.php component, where the id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries.

Any authenticated user can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Exploitation enables execution of arbitrary SQL commands against the database, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS 3.1 score of 8.8.

The vulnerability is addressed in WeGIA version 3.6.9. Additional details are available in the GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43jm-pcrq-w7gv.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing…

more

any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22141Same product: Wegia Wegia
CVE-2026-33134Same product: Wegia Wegia
CVE-2025-30365Same product: Wegia Wegia
CVE-2025-24905Same product: Wegia Wegia
CVE-2025-24901Same product: Wegia Wegia
CVE-2025-26612Same product: Wegia Wegia
CVE-2025-24902Same product: Wegia Wegia
CVE-2026-31895Same product: Wegia Wegia
CVE-2025-22140Same product: Wegia Wegia
CVE-2025-26605Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.6.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the id_memorando parameter from $_REQUEST to prevent its direct interpolation into SQL queries, directly mitigating the SQL injection vulnerability.

prevent

Mandates timely identification, reporting, and correction of the SQL injection flaw fixed in WeGIA 3.6.9, eliminating the vulnerability through patching.

prevent

Enforces restrictions on information inputs like id_memorando to valid formats (e.g., integers only), blocking malicious SQL injection payloads.

References