SB20260423171 - Multiple vulnerabilities in WeGIA
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2026-31895)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in html/matPat/restaurar_produto.php when handling the id_produto GET parameter. A remote user can send a specially crafted request to execute arbitrary SQL commands.
Exploitation requires access to the Material Patrimonial functionality with resource ID 22.
2) Link following (CVE-ID: CVE-2026-31894)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper link resolution before file access in the loadBackupDB() backup restore function when processing a crafted tar.gz backup archive. A remote user can upload a crafted archive containing a symbolic link to disclose sensitive information.
The issue was introduced in version 3.6.5, and exploitation can expose any file readable by the www-data user through an error message during MySQL import.
3) SQL injection (CVE-ID: CVE-2026-31896)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in remover_produto_ocultar.php when handling request parameters. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
The issue can be reached because the script uses extract($_REQUEST) to populate variables that are concatenated into a SQL query, and the advisory states that an execution after redirect condition in the permission check can allow code execution to continue even when permissions are denied.
4) SQL injection (CVE-ID: CVE-2026-33134)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the html/matPat/restaurar_produto.php endpoint when processing the id_produto GET parameter. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
The id_produto value is interpolated into two consecutive SQL queries, which can cause time-based payloads to be executed twice.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m39r-p62f-vmqm
- https://github.com/advisories/GHSA-m39r-p62f-vmqm
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7g3-87cr-8m83
- https://github.com/advisories/GHSA-w7g3-87cr-8m83
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qg95-x997-66wq