CVE-2026-33134
Authenticated SQL Injection in WeGIA restaurar_produto.php Leads to Database Compromise
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33134 is an authenticated SQL Injection vulnerability in the WeGIA web manager application, specifically in the script /html/matPat/restaurar_produto.php. The vulnerability arises because the application takes the id_produto parameter directly from the GET request without any sanitization, type casting, or use of prepared statements, and inserts it directly into SQL queries.
This allows an authenticated attacker to inject arbitrary SQL commands through the id_produto parameter, potentially manipulating the database queries executed by the application.
The vulnerability can be exploited to perform time-based blind SQL injection attacks, as demonstrated by injecting commands like sleep(5) to delay server responses.
This issue affects WeGIA versions 3.6.5 and below and was fixed in version 3.6.6 by implementing prepared statements and proper input handling.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full database compromise.
- An attacker can extract sensitive data such as passwords, personally identifiable information (PII), and session data.
- An attacker can modify or delete database records, potentially causing denial of service or unauthorized administrative access.
- In some misconfigured environments, the attacker could write files to the system, enabling remote code execution (RCE).
The vulnerability has a high severity rating with a CVSS v3.1 base score of 9.3, indicating critical risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the `id_produto` GET parameter in the `/html/matPat/restaurar_produto.php` endpoint for SQL injection. A common method is to inject time-based blind SQL commands such as `sleep(5)` to observe if the server response is delayed, indicating vulnerability.'}, {'type': 'paragraph', 'content': 'For example, an authenticated user can send a request like: `/html/matPat/restaurar_produto.php?id_produto=1 OR SLEEP(5)--` and check if the response time increases significantly.'}, {'type': 'paragraph', 'content': 'This can be done using command-line tools such as curl or wget to measure response times, for example:'}, {'type': 'list_item', 'content': 'curl -w "%{time_total}\\n" -o /dev/null -s "http://target/html/matPat/restaurar_produto.php?id_produto=1"'}, {'type': 'list_item', 'content': 'curl -w "%{time_total}\\n" -o /dev/null -s "http://target/html/matPat/restaurar_produto.php?id_produto=1 OR SLEEP(5)--"'}, {'type': 'paragraph', 'content': 'If the second command shows a response time approximately 5 seconds longer than the first, it indicates the presence of the time-based blind SQL injection vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade the WeGIA application to version 3.6.6 or later, where this vulnerability has been fixed.
Additionally, ensure that the application uses proper input validation, type casting, and parameterized SQL queries (prepared statements) to prevent SQL injection.
If upgrading immediately is not possible, restrict access to the vulnerable endpoint to trusted authenticated users only and monitor for suspicious activity.
Review and apply the security fixes from the pull request #1457, which includes removal of unsafe functions like `extract()`, adoption of PDO prepared statements, and validation of file paths to prevent related vulnerabilities.