CVE-2026-40285
Published: 17 April 2026
Summary
CVE-2026-40285 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the cpf_usuario POST parameter before interpolation into SQL queries.
Mandates identification, reporting, testing, and correction of the specific SQL injection flaw in dao/memorando/UsuarioDAO.php and DespachoControle::verificarDespacho().
Enables vulnerability scanning to detect SQL injection flaws like CVE-2026-40285 and subsequent remediation to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web app with session/identity overwrite enables network exploitation of public-facing application (T1190), privilege escalation via user impersonation (T1068), and unauthorized database queries (T1213.006).
NVD Description
WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(), and the attacker-controlled value is then interpolated directly…
more
into a raw SQL query, allowing any authenticated user to query the database under an arbitrary identity. Version 3.6.10 fixes the issue.
Deeper analysisAI
CVE-2026-40285 is a SQL injection vulnerability in WeGIA, a web-based management system for charitable institutions, affecting versions prior to 3.6.10. The flaw exists in the dao/memorando/UsuarioDAO.php component, where the cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in the DespachoControle::verificarDespacho() function. This attacker-controlled value is then directly interpolated into a raw SQL query, enabling unauthorized database access under a falsified identity.
The vulnerability can be exploited by any low-privileged authenticated user (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), resulting in a CVSS v3.1 base score of 8.8 (C:H/I:H/A:H). Attackers can impersonate arbitrary users to query the database, potentially extracting sensitive data, modifying records, or disrupting services. It is associated with CWE-89 (SQL Injection), CWE-302 (Authentication Bypass by Assumed-Immutable Data), and CWE-473 (PHP External Variable Modification).
The GitHub Security Advisory GHSA-666r-v2m7-xgp9, published on 2026-04-17, documents the issue and confirms that upgrading to WeGIA version 3.6.10 addresses the vulnerability by fixing the insecure parameter handling and SQL interpolation.
Details
- CWE(s)