HIGHCVE-2026-33133Published 2026-03-20Modified 2026-03-24CNA GitHub_M

CVE-2026-33133: WeGIA has an arbitrary SQL execution vulnerability via crafted backup archive

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

LabRedesCefetRJ / WeGIA
>= 3.6.5, < 3.6.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f
https://github.com/LabRedesCefetRJ/WeGIA/pull/1459
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7

Metrics