CVE-2026-33133 is an SQL Injection vulnerability classified under CWE-89, discovered in the WeGIA web management platform developed by LabRedesCefetRJ. The flaw exists in versions 3.6.5 and 3.6.6 within the loadBackupDB() function, which is responsible for importing SQL files from user-uploaded backup archives. The function lacks proper validation or sanitization of the SQL content in these backups, allowing attackers with authenticated high-privilege access to upload malicious backup archives containing arbitrary SQL statements. These statements can manipulate the database by creating unauthorized administrator accounts, modifying existing user credentials, or performing any database operation, effectively compromising the system's confidentiality, integrity, and availability. The vulnerability was introduced in a specific code commit (370104c) and was addressed in version 3.6.7 by implementing appropriate validation and sanitization controls. The CVSS 4.0 score of 8.6 reflects the vulnerability's high severity, with network attack vector, low attack complexity, no user interaction, and high impact on all security properties. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on affected WeGIA versions.

The exploitation of CVE-2026-33133 can have severe consequences for organizations using WeGIA versions 3.6.5 and 3.6.6. Attackers can gain unauthorized administrative access by injecting rogue administrator accounts, leading to full system compromise. They can alter or reset passwords, lock out legitimate users, or escalate privileges. Arbitrary SQL execution can result in data theft, data corruption, or deletion, severely impacting data confidentiality and integrity. Availability can also be affected if attackers execute destructive commands or disrupt database operations. Given WeGIA's role in managing charitable institutions, such compromises could disrupt critical services, damage reputations, and lead to regulatory or legal consequences. The requirement for authenticated high-privilege access limits the attack surface but does not eliminate risk, especially if insider threats or credential compromise occur. Organizations worldwide relying on WeGIA for sensitive data management face significant operational and security risks until patched.

To mitigate CVE-2026-33133, organizations should immediately upgrade WeGIA to version 3.6.7 or later, where the vulnerability is patched. Until upgrading is possible, restrict access to the loadBackupDB() functionality to only trusted, authenticated administrators and monitor upload activities closely. Implement strict validation and sanitization of backup archive contents before importing, including scanning for unexpected SQL commands or anomalies. Employ database activity monitoring to detect suspicious SQL statements or privilege escalations. Enforce strong authentication and access controls to minimize the risk of credential compromise. Regularly audit user accounts and permissions to detect unauthorized changes. Additionally, maintain offline, verified backups to recover from potential data corruption or deletion. Organizations should also educate administrators on the risks of importing untrusted backup files and establish incident response plans for potential exploitation scenarios.