SQL injection in WeGIA - CVE-2026-31896
Published: April 23, 2026
Vulnerability identifier: #VU127331
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-31896
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in remover_produto_ocultar.php when handling request parameters. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
The issue can be reached because the script uses extract($_REQUEST) to populate variables that are concatenated into a SQL query, and the advisory states that an execution after redirect condition in the permission check can allow code execution to continue even when permissions are denied.
How to mitigate CVE-2026-31896
Install security update from vendor's website.