CVE-2026-33133

HIGH EPSS 32.0%
Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago
8.6 CVSS 4.0
High
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
32.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 2

VendorProductVersionRange
wegiawegia3.6.5any
wegiawegia3.6.6any

References 3

  • github.com https://github.com/LabRedesCefetRJ/WeGIA/pull/1459
    Issue TrackingPatch
  • github.com https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7
    ProductRelease Notes
  • github.com https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/LabRedesCefetRJ/WeGIA/pull/1459
    Issue TrackingPatch