CVE-2026-33133

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/pull/1459	Issue Tracking Patch
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7	Product Release Notes
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wegia:wegia:3.6.5:::::::*
	cpe:2.3:a:wegia:wegia:3.6.6:::::::*

History

17 Jun 2026, 10:37

Type	Values Removed	Values Added
Summary		(es) WeGIA es un gestor web para instituciones benéficas. En las versiones 3.6.5 y 3.6.6, la función loadBackupDB() importa archivos SQL de archivos de copia de seguridad subidos sin ninguna validación de contenido. Un atacante puede crear un archivo de copia de seguridad que contenga sentencias SQL arbitrarias que creen cuentas de administrador maliciosas, modifiquen contraseñas existentes o ejecuten cualquier operación de base de datos. Esto fue introducido en el commit 370104c. Este problema fue parcheado en la versión 3.6.7.

20 Mar 2026, 19:29

Type	Values Removed	Values Added
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/pull/1459 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/pull/1459 - Issue Tracking, Patch
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7 - Product, Release Notes
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f -~~	() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f - Exploit, Mitigation, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CPE		cpe:2.3:a:wegia:wegia:3.6.5:::::::* cpe:2.3:a:wegia:wegia:3.6.6:::::::*
First Time		Wegia wegia Wegia

20 Mar 2026, 11:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 11:18

Updated : 2026-06-17 10:37

NVD link : CVE-2026-33133

Mitre link : CVE-2026-33133

CVE.ORG link : CVE-2026-33133

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.2 /10