{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-13T21:56:13.134","vulnerabilities":[{"cve":{"id":"CVE-2026-31896","sourceIdentifier":"security-advisories@github.com","published":"2026-03-11T20:16:15.797","lastModified":"2026-03-13T20:05:49.723","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6."},{"lang":"es","value":"WeGIA es un gestor web para instituciones benéficas. Antes de la versión 3.6.6, existe una vulnerabilidad crítica de inyección SQL en la aplicación WeGIA. El script remover_produto_ocultar.php utiliza extract($_REQUEST) para poblar variables locales y luego concatena directamente estas variables en una consulta SQL ejecutada a través de PDO::query. Esto permite a un atacante autenticado (o con autenticación eludida) ejecutar comandos SQL arbitrarios. Esto puede usarse para exfiltrar datos sensibles de la base de datos o, como se demuestra en esta PoC, causar un retardo basado en el tiempo (denegación de servicio). Esta vulnerabilidad está corregida en la 3.6.6."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*","versionEndExcluding":"3.6.6","matchCriteriaId":"6CDCF05A-C4CA-4349-9BEC-BD27A89E1699"}]}]}],"references":[{"url":"https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7g3-87cr-8m83","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}