CVE-2026-35395
Published: 06 April 2026
Summary
CVE-2026-35395 is a high-severity SQL Injection (CWE-89) vulnerability in Wegia Wegia. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the id_memorando parameter from $_REQUEST to prevent its direct interpolation into SQL queries, directly mitigating the SQL injection vulnerability.
Mandates timely identification, reporting, and correction of the SQL injection flaw fixed in WeGIA 3.6.9, eliminating the vulnerability through patching.
Enforces restrictions on information inputs like id_memorando to valid formats (e.g., integers only), blocking malicious SQL injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application directly maps to exploitation of public-facing applications.
NVD Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing…
more
any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9.
Deeper analysisAI
CVE-2026-35395 is a SQL injection vulnerability (CWE-89) in WeGIA, a web manager for charitable institutions (Web gerenciador para instituições assistenciais), affecting versions prior to 3.6.9. The issue occurs in the dao/memorando/DespachoDAO.php component, where the id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries.
Any authenticated user can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Exploitation enables execution of arbitrary SQL commands against the database, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS 3.1 score of 8.8.
The vulnerability is addressed in WeGIA version 3.6.9. Additional details are available in the GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43jm-pcrq-w7gv.
Details
- CWE(s)