CVE-2026-31896
Received Received - Intake
Critical SQL Injection in WeGIA Remover_Produto_Ocultar.php Allows Data Exfiltration

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31896
EUVD
EUVD-2026-11313
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wegia wegia to 3.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31896 is a critical SQL injection vulnerability in the WeGIA web manager application for charitable institutions, affecting versions prior to 3.6.6.'}, {'type': 'paragraph', 'content': "The vulnerability exists in the remover_produto_ocultar.php script, which uses PHP's extract($_REQUEST) function to create local variables directly from user input without proper sanitization."}, {'type': 'paragraph', 'content': 'These variables are then concatenated directly into a SQL query executed via PDO::query, allowing an attacker to inject arbitrary SQL commands.'}, {'type': 'paragraph', 'content': "Additionally, the script's permission check function suffers from an Execution After Redirect flaw, enabling attackers to bypass authorization."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by bypassing authentication through a flaw in login.php and then sending specially crafted requests to execute SQL commands, including time-based delays to confirm the injection.'}] [1]

Impact Analysis

This vulnerability can have severe impacts including complete database compromise.

  • Attackers can exfiltrate sensitive data such as user credentials, patient records, and financial information.
  • Arbitrary SQL commands can be executed, allowing data modification or deletion, which can lead to data loss or manipulation.
  • The vulnerability can be exploited to cause denial of service by introducing time delays in database queries.

The CVSS v3 base score of 9.8 reflects the critical severity, with low attack complexity and no privileges or user interaction required.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to exploit the time-based blind SQL injection in the remover_produto_ocultar.php script. Specifically, you can send a crafted GET request to the script with a payload in the almoxarifado parameter that causes a delay in the SQL query execution, such as using the SQL SLEEP function.

A detection method involves measuring the response time of the server to such a request. If the response is delayed by the expected amount of time (e.g., 10 seconds), it indicates the presence of the SQL injection vulnerability.

The proof-of-concept exploit performs these steps:

  • Authenticate by bypassing login via POST parameters: c=true, cpf=admin, id_pessoa=1.
  • Send a GET request to remover_produto_ocultar.php with parameters: total_total=1, id_produto=1, and almoxarifado=1 AND (SELECT 1 FROM (SELECT(SLEEP(10)))a).

By measuring the response time of this GET request, you can confirm the vulnerability if the server delays the response by approximately 10 seconds.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the WeGIA application to version 3.6.6 or later, where this SQL injection vulnerability has been fixed.

Until the upgrade can be applied, consider restricting access to the vulnerable script remover_produto_ocultar.php to trusted users only, and monitor for suspicious requests that include SQL injection payloads.

Additionally, review and improve input validation and sanitization in the application, especially avoiding the use of extract($_REQUEST) and unsafe concatenation of user inputs into SQL queries. Use prepared statements with parameterized queries instead.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart