CVE-2026-33991 is an SQL Injection vulnerability identified in the WeGIA web management system developed by LabRedesCefetRJ, specifically affecting versions prior to 3.6.7. The vulnerability is located in the file `html/socio/sistema/deletar_tag.php`, where the PHP function extract($_REQUEST) is used on line 14 to import request variables into the local symbol table. Subsequently, the variable `$id_tag` derived from user input is directly concatenated into SQL queries on lines 16 and 17 without any sanitization or use of prepared statements. This improper neutralization of special elements in SQL commands (CWE-89) allows an attacker with low privileges to inject malicious SQL code remotely, potentially leading to unauthorized data access, modification, or deletion. The vulnerability does not require user interaction and can be exploited over the network, increasing its risk profile. The vendor addressed this issue in version 3.6.7 by presumably implementing proper input validation and prepared statements to prevent injection. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of unsafe PHP coding practices and the importance of secure input handling in web applications managing sensitive data.

The exploitation of CVE-2026-33991 can have severe consequences for organizations using vulnerable versions of WeGIA. Attackers can execute arbitrary SQL commands, leading to unauthorized disclosure of sensitive data such as donor information, financial records, or personal details of beneficiaries. Data integrity can be compromised by unauthorized modification or deletion of records, potentially disrupting charitable operations and eroding trust. Availability may also be affected if attackers delete critical data or cause database corruption, resulting in service outages. Given that WeGIA is used by charitable institutions, such disruptions could impact critical social services and fundraising activities. The ease of exploitation and network accessibility make this vulnerability attractive to attackers, including opportunistic cybercriminals and potentially nation-state actors targeting social sector organizations. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially if attackers develop proof-of-concept exploits. Organizations failing to patch may face data breaches, regulatory penalties, reputational damage, and operational interruptions.

Organizations using WeGIA should immediately upgrade to version 3.6.7 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement the following mitigations: 1) Apply web application firewall (WAF) rules to detect and block SQL injection patterns targeting the vulnerable endpoint `html/socio/sistema/deletar_tag.php`. 2) Restrict database user permissions to the minimum necessary to limit the impact of injection attacks. 3) Conduct code audits to identify and refactor any other instances of unsafe input handling, replacing extract($_REQUEST) with explicit input validation and using parameterized queries or prepared statements. 4) Monitor application logs for suspicious activity indicative of injection attempts. 5) Educate developers on secure coding practices to prevent similar vulnerabilities. 6) Employ runtime application self-protection (RASP) tools if available to detect and block injection attacks in real time. These measures, combined with patching, will significantly reduce the risk of exploitation.