CVE-2026-33133

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/pull/1459	Issue Tracking Patch
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7	Product Release Notes
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wegia:wegia:3.6.5:::::::*
	cpe:2.3:a:wegia:wegia:3.6.6:::::::*

History

No history.

Information

Published : 2026-03-20 11:18

Updated : 2026-03-20 19:29

NVD link : CVE-2026-33133

Mitre link : CVE-2026-33133

CVE.ORG link : CVE-2026-33133

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-33133", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T11:18:03.037", "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones ben\u00e9ficas. En las versiones 3.6.5 y 3.6.6, la funci\u00f3n loadBackupDB() importa archivos SQL de archivos de copia de seguridad subidos sin ninguna validaci\u00f3n de contenido. Un atacante puede crear un archivo de copia de seguridad que contenga sentencias SQL arbitrarias que creen cuentas de administrador maliciosas, modifiquen contrase\u00f1as existentes o ejecuten cualquier operaci\u00f3n de base de datos. Esto fue introducido en el commit 370104c. Este problema fue parcheado en la versi\u00f3n 3.6.7."}], "lastModified": "2026-03-20T19:29:20.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45337EFE-D771-4223-BE77-E226D1D72FBF"}, {"criteria": "cpe:2.3:a:wegia:wegia:3.6.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2CE46858-8303-463F-8C23-DC40F207EBDC"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}