CVE-2026-31896
Critical SQL Injection in WeGIA Remover_Produto_Ocultar.php Allows Data Exfiltration
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31896 is a critical SQL injection vulnerability in the WeGIA web manager application for charitable institutions, affecting versions prior to 3.6.6.'}, {'type': 'paragraph', 'content': "The vulnerability exists in the remover_produto_ocultar.php script, which uses PHP's extract($_REQUEST) function to create local variables directly from user input without proper sanitization."}, {'type': 'paragraph', 'content': 'These variables are then concatenated directly into a SQL query executed via PDO::query, allowing an attacker to inject arbitrary SQL commands.'}, {'type': 'paragraph', 'content': "Additionally, the script's permission check function suffers from an Execution After Redirect flaw, enabling attackers to bypass authorization."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by bypassing authentication through a flaw in login.php and then sending specially crafted requests to execute SQL commands, including time-based delays to confirm the injection.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete database compromise.
- Attackers can exfiltrate sensitive data such as user credentials, patient records, and financial information.
- Arbitrary SQL commands can be executed, allowing data modification or deletion, which can lead to data loss or manipulation.
- The vulnerability can be exploited to cause denial of service by introducing time delays in database queries.
The CVSS v3 base score of 9.8 reflects the critical severity, with low attack complexity and no privileges or user interaction required.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the time-based blind SQL injection in the remover_produto_ocultar.php script. Specifically, you can send a crafted GET request to the script with a payload in the almoxarifado parameter that causes a delay in the SQL query execution, such as using the SQL SLEEP function.
A detection method involves measuring the response time of the server to such a request. If the response is delayed by the expected amount of time (e.g., 10 seconds), it indicates the presence of the SQL injection vulnerability.
The proof-of-concept exploit performs these steps:
- Authenticate by bypassing login via POST parameters: c=true, cpf=admin, id_pessoa=1.
- Send a GET request to remover_produto_ocultar.php with parameters: total_total=1, id_produto=1, and almoxarifado=1 AND (SELECT 1 FROM (SELECT(SLEEP(10)))a).
By measuring the response time of this GET request, you can confirm the vulnerability if the server delays the response by approximately 10 seconds.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the WeGIA application to version 3.6.6 or later, where this SQL injection vulnerability has been fixed.
Until the upgrade can be applied, consider restricting access to the vulnerable script remover_produto_ocultar.php to trusted users only, and monitor for suspicious requests that include SQL injection payloads.
Additionally, review and improve input validation and sanitization in the application, especially avoiding the use of extract($_REQUEST) and unsafe concatenation of user inputs into SQL queries. Use prepared statements with parameterized queries instead.