CVE-2026-31896

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.6

Description WeGIA is a web manager for charitable institutions. A critical SQL injection issue exists in the application prior to version 3.6.6. The remover produto ocultar.php script utilizes extract($ REQUEST) to populate local variables, which are then directly concatenated into a SQL query executed through PDO::query. This allows an authenticated or auth-bypassed attacker to execute arbitrary SQL commands. This can lead to the exfiltration of sensitive data from the database or a time-based denial of service. The vulnerable code directly concatenates user-supplied input from the $ REQUEST variable into a SQL query without proper sanitization. The extract() function is used to populate local variables directly from the $ REQUEST array, making the application susceptible to SQL injection attacks.

Recommendations Versions prior to 3.6.6 should be updated to version 3.6.6 or later.