PHP SQL Injection (CVE-2026-31896)

Overview

A critical security vulnerability has been discovered in WeGIA, a web-based management system for charitable institutions. This flaw, tracked as CVE-2026-31896, allows attackers to execute arbitrary SQL commands on the database. The vulnerability is present in all versions of WeGIA prior to version 3.6.6.

Vulnerability Details

The vulnerability exists in the remover_produto_ocultar.php script. The code uses an insecure extract($_REQUEST) function call, which takes user-supplied input from web requests and turns it directly into variables. These variables are then inserted directly into a SQL query without any validation or sanitization, a flaw known as SQL Injection.

Because the application uses PDO::query() to execute these tainted commands, an attacker can craft malicious requests that alter the intended SQL statement. This provides a direct pathway to the application’s database.

Potential Impact

Rated with a critical CVSS score of 9.8, this vulnerability has severe consequences:

• Data Theft: Attackers can read, modify, or delete sensitive information stored in the database. This could include donor details, financial records, beneficiary data, and internal system credentials.
• Denial of Service: As demonstrated in proof-of-concept exploits, attackers can execute commands that cause significant delays, making the application unresponsive for legitimate users.
• System Compromise: In some database configurations, SQL Injection can be used to execute commands on the underlying server, leading to a full system takeover.

For organizations handling sensitive charitable data, such a breach could result in significant operational, financial, and reputational damage. You can learn about the real-world impact of data leaks at our breach reports page.

Remediation and Mitigation

The vendor has released a fix in WeGIA version 3.6.6. All users must take immediate action.

1. Primary Action - Upgrade: The only complete solution is to upgrade your WeGIA installation to version 3.6.6 or later. This update addresses the insecure code pattern.
2. Temporary Mitigation: If an immediate upgrade is not possible, restrict network access to the WeGIA application to only trusted users and networks. However, this does not fix the flaw and should only be considered a temporary measure until the upgrade is performed.
3. Review and Monitor: After patching, review application and database logs for any signs of suspicious activity that may have occurred prior to the update.

For the latest updates on critical vulnerabilities like this one, follow our security news section. System administrators should prioritize this update to protect their organization’s data and maintain trust with their stakeholders.