SB20260423171 - Multiple vulnerabilities in WeGIA



SB20260423171 - Multiple vulnerabilities in WeGIA

Published: April 23, 2026

Security Bulletin ID SB20260423171
CSH Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 25% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) SQL injection (CVE-ID: CVE-2026-31895)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in html/matPat/restaurar_produto.php when handling the id_produto GET parameter. A remote user can send a specially crafted request to execute arbitrary SQL commands.

Exploitation requires access to the Material Patrimonial functionality with resource ID 22.


2) Link following (CVE-ID: CVE-2026-31894)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper link resolution before file access in the loadBackupDB() backup restore function when processing a crafted tar.gz backup archive. A remote user can upload a crafted archive containing a symbolic link to disclose sensitive information.

The issue was introduced in version 3.6.5, and exploitation can expose any file readable by the www-data user through an error message during MySQL import.


3) SQL injection (CVE-ID: CVE-2026-31896)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in remover_produto_ocultar.php when handling request parameters. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.

The issue can be reached because the script uses extract($_REQUEST) to populate variables that are concatenated into a SQL query, and the advisory states that an execution after redirect condition in the permission check can allow code execution to continue even when permissions are denied.


4) SQL injection (CVE-ID: CVE-2026-33134)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the html/matPat/restaurar_produto.php endpoint when processing the id_produto GET parameter. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.

The id_produto value is interpolated into two consecutive SQL queries, which can cause time-based payloads to be executed twice.


Remediation

Install update from vendor's website.