CVE-2026-33134 CRITICAL

CVE-2026-33134: WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter

Vendor Labredescefetrj
Product WeGIA
Weakness CWE-89 · SQLi
Published March 20, 2026
Last update March 20, 2026
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurar_produto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the id_produto GET parameter, leading to full database compromise. In the script /html/matPat/restaurar_produto.php, the application retrieves the id_produto parameter directly from the $_GET global array and interpolates it directly into two SQL query strings without any sanitization, type-casting (e.g., (int)), or using parameterized (prepare/execute) statements. This issue has been fixed in version 3.6.6.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 20, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-23538 Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries. CVE-2024-30491 WordPress ProfileGrid – User Profiles, Memberships, Groups and Communities plugin <= 5.7.8 - SQL Injection vulnerability CVE-2026-9065 Surecart - SQL Injection CVE-2025-6956 Campcodes Employee Management System changepassemp.php sql injection CVE-2015-10111 Watu Quiz Plugin Exam exam.php watu_exams sql injection