CVE-2026-31896 CRITICAL

CVE-2026-31896: WeGIA has a Time-Based Blind SQL Injection in remover_produto_ocultar.php

Vendor Labredescefetrj

Product WeGIA

Weakness CWE-89 · SQLi

Published March 11, 2026

Last update March 12, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.

Key dates

Disclosure timeline

March 11, 2026 CVE published

March 12, 2026 Record updated