CVE-2026-31896 is a critical SQL injection vulnerability identified in the WeGIA web management system developed by LabRedesCefetRJ, specifically impacting versions prior to 3.6.6. The vulnerability exists in the remover_produto_ocultar.php script, which uses PHP's extract($_REQUEST) function to populate local variables from user-supplied HTTP request parameters. These variables are then directly concatenated into an SQL query executed via PDO::query without any input validation or parameterization. This improper neutralization of special elements in SQL commands (CWE-89) enables an attacker to inject arbitrary SQL code. The vulnerability can be exploited without authentication or user interaction, allowing attackers to perform unauthorized data access, modification, or deletion. The proof-of-concept demonstrates the ability to cause time-based delays, effectively enabling denial of service attacks. The vulnerability is rated with a CVSS v3.1 score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation. The issue is resolved in WeGIA version 3.6.6 by presumably implementing proper input sanitization or using prepared statements. No public exploits have been reported yet, but the critical nature and lack of required authentication make this a high-risk vulnerability for affected deployments.

The impact of CVE-2026-31896 is severe for organizations using vulnerable versions of WeGIA. Exploitation can lead to unauthorized disclosure of sensitive data stored in the backend database, including potentially personal or financial information managed by charitable institutions. Attackers can also modify or delete data, undermining data integrity and trustworthiness. Additionally, the demonstrated ability to cause time-based delays can result in denial of service, disrupting normal operations of the web management system. Given that WeGIA is used by charitable organizations, such disruptions could affect critical services and donor management. The vulnerability’s ease of exploitation without authentication increases the risk of widespread attacks, potentially leading to data breaches, reputational damage, regulatory penalties, and operational downtime.

Organizations should immediately upgrade WeGIA to version 3.6.6 or later, where this vulnerability is fixed. Until the upgrade is applied, implement compensating controls such as web application firewalls (WAFs) configured to detect and block SQL injection attempts targeting the vulnerable script. Review and restrict access to the remover_produto_ocultar.php endpoint, limiting it to trusted users or IP addresses where feasible. Conduct thorough input validation and sanitization on all user-supplied data, avoiding the use of PHP extract() on $_REQUEST or any untrusted input. Replace direct query concatenation with parameterized queries or prepared statements using PDO to prevent injection. Monitor logs for suspicious SQL errors or unusual database query patterns indicative of exploitation attempts. Finally, conduct security awareness training for developers to avoid similar coding practices in future development.