anonhaven
Ad

CVE-2026-33133

HIGH CVSS 4.0: 8.6 EPSS 0.07%
Updated Mar 20, 2026
Wegia
Parameter Value
CVSS 8.6 (HIGH)
Fixed In 3.6.7
Type CWE-89 (SQL Injection)
Vendor Wegia
Public PoC No

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation.

This was introduced in commit 370104c. This issue was patched in version 3.6.7.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-89 SQL Injection

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Wegia Wegia
cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*
Wegia Wegia
cpe:2.3:a:wegia:wegia:3.6.6:*:*:*:*:*:*:*

References 3

https://github.com/LabRedesCefetRJ/WeGIA/pull/1459
security-advisories@github.com
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7
security-advisories@github.com
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35475

Wegia

5.1

CVE-2026-35474

Wegia

5.1

CVE-2026-35399

Wegia

8.5

CVE-2026-28409

Wegia

10.0