CVE-2026-33991 Overview
CVE-2026-33991 is a SQL Injection vulnerability in WeGIA, a web manager for charitable institutions. The vulnerability exists in the file html/socio/sistema/deletar_tag.php which uses extract($_REQUEST) on line 14 and directly concatenates the $id_tag variable into SQL queries on lines 16-17 without prepared statements or sanitization. This allows authenticated attackers to manipulate database queries and potentially access, modify, or delete sensitive data.
Critical Impact
Authenticated attackers can execute arbitrary SQL commands against the database, potentially leading to unauthorized data access, data manipulation, or complete database compromise affecting charitable institution records.
Affected Products
- WeGIA versions prior to 3.6.7
- WeGIA web manager installations using the vulnerable deletar_tag.php component
Discovery Timeline
- 2026-03-27 - CVE-2026-33991 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33991
Vulnerability Analysis
This vulnerability stems from unsafe coding practices in WeGIA's tag deletion functionality. The vulnerable file deletar_tag.php employs PHP's dangerous extract() function on user-supplied request data, which automatically creates variables from array keys. This means any parameter sent in the HTTP request becomes a PHP variable in the script's scope.
The critical flaw occurs when the $id_tag variable, now controlled by user input, is directly concatenated into SQL queries without any form of input validation, parameterization, or escaping. This classic SQL Injection pattern allows attackers to break out of the intended query structure and inject malicious SQL statements.
Since this vulnerability requires authentication (low privileges required), it represents an insider threat or a post-authentication attack vector where an authenticated user with minimal privileges could escalate their access to the entire database.
Root Cause
The root cause is twofold: First, the use of extract($_REQUEST) which is a well-documented dangerous PHP practice that should never be used on untrusted data. Second, the lack of prepared statements or parameterized queries when constructing SQL commands. The combination of these two unsafe patterns creates a direct pathway for SQL Injection attacks.
Attack Vector
The attack is network-based and requires low-privilege authentication to the WeGIA application. An attacker would authenticate with valid credentials and then craft malicious HTTP requests to the deletar_tag.php endpoint. By manipulating the id_tag parameter with SQL injection payloads, the attacker can modify the intended query behavior.
Exploitation could involve techniques such as UNION-based injection to extract data from other tables, boolean-based blind injection to enumerate database contents, or time-based blind injection if direct output is not visible. The attacker could potentially read sensitive donor information, financial records, or administrative credentials stored in the database.
Detection Methods for CVE-2026-33991
Indicators of Compromise
- Unusual or malformed requests to /html/socio/sistema/deletar_tag.php containing SQL syntax characters such as single quotes, semicolons, or SQL keywords
- Web server access logs showing id_tag parameters with encoded SQL injection payloads
- Database query logs revealing unexpected queries or syntax errors originating from the tag deletion functionality
- Evidence of data exfiltration or unauthorized database modifications
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to WeGIA endpoints
- Enable detailed logging on the WeGIA application and database server to capture suspicious query patterns
- Implement database activity monitoring to alert on anomalous query structures or unauthorized data access
- Use application security testing tools to scan for SQL injection vulnerabilities in WeGIA installations
Monitoring Recommendations
- Monitor HTTP request logs for SQL injection attack signatures targeting the deletar_tag.php endpoint
- Set up alerts for database errors or exceptions that may indicate attempted SQL injection exploitation
- Track authentication events and correlate with requests to sensitive administrative endpoints
- Review database audit logs for unexpected SELECT, UPDATE, or DELETE operations on sensitive tables
How to Mitigate CVE-2026-33991
Immediate Actions Required
- Upgrade WeGIA to version 3.6.7 or later immediately to patch this vulnerability
- If immediate patching is not possible, restrict network access to the WeGIA application to trusted IP ranges
- Implement WAF rules to block SQL injection attempts targeting the affected endpoint
- Review database access logs for evidence of exploitation and investigate any suspicious activity
Patch Information
WeGIA version 3.6.7 addresses this SQL Injection vulnerability by implementing proper input sanitization and prepared statements. Administrators should update their installations as soon as possible. For detailed patch information, refer to the GitHub Security Advisory GHSA-74xm-6wgf-x37j.
Workarounds
- Implement a Web Application Firewall with SQL injection detection rules to filter malicious requests before they reach the application
- Restrict access to the vulnerable endpoint /html/socio/sistema/deletar_tag.php using web server access controls or authentication requirements
- Apply network segmentation to limit who can access the WeGIA administrative interface
- If the tag deletion feature is not critical, consider temporarily disabling or removing the deletar_tag.php file until patching is complete
# Example: Block access to vulnerable endpoint using Apache .htaccess
<Files "deletar_tag.php">
Order Deny,Allow
Deny from all
# Allow only from trusted admin IP
Allow from 192.168.1.100
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
