CVE-2026-33133 is an SQL injection vulnerability categorized under CWE-89, discovered in the WeGIA web management software developed by LabRedesCefetRJ. The issue exists in versions 3.6.5 and 3.6.6 within the loadBackupDB() function, which is responsible for importing SQL files from backup archives uploaded by users. The function fails to validate or sanitize the SQL content inside these archives, allowing an attacker with sufficient privileges to upload a malicious backup archive containing arbitrary SQL statements. These statements can perform unauthorized database operations such as creating rogue administrator accounts, altering existing user credentials, or executing any SQL commands, effectively compromising the confidentiality, integrity, and availability of the database. The vulnerability was introduced in a specific commit (370104c) and patched in version 3.6.7. The CVSS v4.0 score is 8.6, reflecting high severity due to network attack vector, low attack complexity, no user interaction, but requiring high privileges. The vulnerability does not require user interaction but does require the attacker to have high privileges to upload backup archives. No known exploits have been reported in the wild as of the publication date. The vulnerability poses a significant risk to organizations relying on WeGIA for managing charitable institution data, especially if they have not applied the patch.

The impact of CVE-2026-33133 is substantial for organizations using vulnerable versions of WeGIA. Successful exploitation allows attackers to execute arbitrary SQL commands on the backend database, leading to unauthorized creation of administrator accounts, modification of user credentials, and potentially full database compromise. This can result in data breaches, loss of data integrity, unauthorized access to sensitive information, and disruption of service availability. For charitable institutions, this could mean exposure of donor information, financial data, and operational details, severely damaging trust and compliance with data protection regulations. Since the vulnerability requires high privileges to exploit, insider threats or compromised accounts are primary risk vectors. However, once exploited, the attacker gains extensive control over the system, making remediation difficult without restoring from clean backups and applying patches.

To mitigate this vulnerability, organizations should immediately upgrade WeGIA to version 3.6.7 or later, where the issue has been patched. Until the upgrade is applied, restrict access to the backup upload functionality to only trusted and authenticated administrators to minimize risk. Implement strict input validation and sanitization on uploaded backup files to detect and block malicious SQL content. Employ database activity monitoring to detect unusual SQL commands or privilege escalations. Enforce the principle of least privilege for user accounts, limiting who can upload backups or perform database imports. Regularly audit user accounts and permissions to identify any unauthorized changes. Additionally, maintain offline, verified backups to enable recovery in case of compromise. Finally, monitor vendor advisories for any updates or additional patches related to this vulnerability.