CVE-2026-33133

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/pull/1459	Issue Tracking Patch
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7	Product Release Notes
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wegia:wegia:3.6.5:::::::*
	cpe:2.3:a:wegia:wegia:3.6.6:::::::*

History

20 Mar 2026, 19:29

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CPE		cpe:2.3:a:wegia:wegia:3.6.5:::::::* cpe:2.3:a:wegia:wegia:3.6.6:::::::*
First Time		Wegia wegia Wegia
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/pull/1459 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/pull/1459 - Issue Tracking, Patch
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7 - Product, Release Notes
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f -~~	() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f - Exploit, Mitigation, Vendor Advisory

20 Mar 2026, 11:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 11:18

Updated : 2026-03-20 19:29

NVD link : CVE-2026-33133

Mitre link : CVE-2026-33133

CVE.ORG link : CVE-2026-33133

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-33133", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T11:18:03.037", "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7."}], "lastModified": "2026-03-20T19:29:20.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45337EFE-D771-4223-BE77-E226D1D72FBF"}, {"criteria": "cpe:2.3:a:wegia:wegia:3.6.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2CE46858-8303-463F-8C23-DC40F207EBDC"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}