CVE-2026-31895 is a SQL injection vulnerability identified in WeGIA, a web-based management platform designed for charitable institutions, developed by LabRedesCefetRJ. The flaw is located in the html/matPat/restaurar_produto.php file, specifically in the handling of the id_produto parameter received via the HTTP GET method. The parameter is directly interpolated into SQL queries without any form of input validation, sanitization, or use of prepared statements, violating secure coding practices against CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). This improper neutralization allows an attacker with authenticated access and low privileges to inject malicious SQL code, potentially enabling unauthorized data access, data modification, or deletion, and even full compromise of the backend database. The vulnerability affects all WeGIA versions prior to 3.6.6, with the vendor having addressed the issue in the 3.6.6 release. The CVSS 3.1 base score of 8.8 reflects the vulnerability's network attack vector, low attack complexity, requirement for privileges but no user interaction, and its high impact on confidentiality, integrity, and availability. While no public exploits have been reported yet, the vulnerability's characteristics make it a significant risk for organizations using WeGIA, especially those managing sensitive charitable institution data.

The exploitation of this SQL injection vulnerability can have severe consequences for organizations using WeGIA. Attackers can manipulate SQL queries to extract sensitive information such as donor data, financial records, or personal information of beneficiaries, leading to confidentiality breaches. They can also alter or delete critical data, undermining data integrity and potentially disrupting operations. In worst-case scenarios, attackers could escalate privileges or execute administrative commands on the database server, causing full system compromise and denial of service. Given that WeGIA is used by charitable institutions, such breaches could damage organizational reputation, erode donor trust, and result in regulatory penalties for data protection violations. The vulnerability’s network accessibility and low complexity make it a viable target for attackers, increasing the risk of widespread exploitation if unpatched.

Organizations should immediately upgrade WeGIA installations to version 3.6.6 or later, where the SQL injection vulnerability has been fixed by proper parameterization of SQL queries. Until patching is possible, implement strict input validation and sanitization on the id_produto parameter at the web application firewall or application level to block malicious payloads. Restrict database user privileges to the minimum necessary, ensuring that the database account used by WeGIA cannot perform destructive operations beyond its scope. Enable detailed logging and monitoring of database queries and application logs to detect anomalous activities indicative of SQL injection attempts. Conduct regular security assessments and code reviews focusing on input handling and query construction. Additionally, consider deploying runtime application self-protection (RASP) solutions that can detect and block injection attacks in real time. Educate developers and administrators on secure coding practices to prevent similar vulnerabilities in future releases.