CVE-2026-33134 is an authenticated SQL Injection vulnerability identified in the WeGIA web management software, specifically in versions 3.6.5 and earlier. The vulnerability resides in the html/matPat/restaurar_produto.php script, where the id_produto parameter is retrieved directly from the HTTP GET request and embedded into two SQL query strings without any form of sanitization, type enforcement, or use of prepared statements. This improper neutralization of special elements (CWE-89) allows an attacker with valid credentials to inject arbitrary SQL commands. The impact of this injection can lead to full compromise of the backend database, exposing sensitive data or enabling unauthorized data manipulation. The vulnerability is critical with a CVSS v3.1 base score of 9.3, reflecting its ease of exploitation over the network without user interaction, but requiring authentication. The scope is complete database compromise affecting confidentiality primarily, with some integrity impact and no direct availability impact. The issue has been addressed in WeGIA version 3.6.6 by implementing proper input validation and secure coding practices. No known exploits are currently reported in the wild, but the severity and nature of the flaw make it a high-risk vulnerability for affected installations.

The primary impact of CVE-2026-33134 is the potential full compromise of the database backend of WeGIA installations running vulnerable versions. This can lead to unauthorized disclosure of sensitive information managed by charitable institutions, including donor data, financial records, and operational details. Attackers could also manipulate or delete data, undermining data integrity and trustworthiness. Although availability is not directly affected, the loss of data confidentiality and integrity can severely disrupt organizational operations and damage reputations. Given that WeGIA is used by charitable organizations, the exposure of donor and beneficiary information could have legal and compliance ramifications, including violations of data protection regulations. The requirement for authentication limits exploitation to insiders or attackers who have obtained valid credentials, but the lack of user interaction and the network accessibility of the vulnerable endpoint increase the risk. Organizations worldwide using WeGIA versions below 3.6.6 face significant risk of data breaches and operational disruption if this vulnerability is exploited.

Organizations should immediately upgrade WeGIA to version 3.6.6 or later, where the vulnerability has been fixed. Until the upgrade is applied, restrict access to the vulnerable endpoint (html/matPat/restaurar_produto.php) using network-level controls such as firewalls or VPNs to limit exposure. Implement strict input validation and enforce type casting on all user-supplied parameters, particularly id_produto, to ensure only valid integer values are accepted. Employ parameterized SQL queries (prepared statements) throughout the application to prevent SQL injection. Conduct thorough code reviews and security testing to identify and remediate similar injection flaws elsewhere in the application. Monitor logs for suspicious activity indicative of SQL injection attempts or unauthorized access. Enforce strong authentication and access controls to reduce the risk of credential compromise. Finally, educate developers on secure coding practices to prevent recurrence of such vulnerabilities.