{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31895", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.688Z", "datePublished": "2026-03-11T19:08:18.763Z", "dateUpdated": "2026-03-11T20:27:50.897Z"}, "containers": {"cna": {"title": "WeGIA has a SQL Injection via Direct Query Interpolation in restaurar_produto.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m39r-p62f-vmqm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m39r-p62f-vmqm"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:08:18.763Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para institui\u00e7\u00f5es assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_produto.php. The id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitization. This vulnerability is fixed in 3.6.6."}], "source": {"advisory": "GHSA-m39r-p62f-vmqm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T20:25:27.538282Z", "id": "CVE-2026-31895", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:27:50.897Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31895", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T20:25:27.538282Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:27:46.042Z"}}], "cna": {"title": "WeGIA has a SQL Injection via Direct Query Interpolation in restaurar_produto.php", "source": {"advisory": "GHSA-m39r-p62f-vmqm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": "< 3.6.6"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m39r-p62f-vmqm", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m39r-p62f-vmqm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para institui\u00e7\u00f5es assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_produto.php. The id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitization. This vulnerability is fixed in 3.6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:08:18.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31895", "state": "PUBLISHED", "dateUpdated": "2026-03-11T20:27:50.897Z", "dateReserved": "2026-03-09T21:59:02.688Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:08:18.763Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CDCF05A-C4CA-4349-9BEC-BD27A89E1699", "versionEndExcluding": "3.6.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para institui\u00e7\u00f5es assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_produto.php. The id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitization. This vulnerability is fixed in 3.6.6."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones asistenciales. Antes de la versi\u00f3n 3.6.6, WeGIA (Web gerenciador para institui\u00e7\u00f5es assistenciais) contiene una vulnerabilidad de inyecci\u00f3n SQL en html/matPat/restaurar_produto.php. El par\u00e1metro id_produto de $_GET se interpola directamente en las consultas SQL sin parametrizaci\u00f3n ni saneamiento. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.6.6."}], "id": "CVE-2026-31895", "lastModified": "2026-03-13T20:06:31.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T20:16:15.633", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m39r-p62f-vmqm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeGIA", "source": "cna", "vendor": "LabRedesCefetRJ"}, "product": "wegia", "vendor": "labredescefetrj"}], "analysis": {"en": {"generated_at": "2026-03-17T15:48:35.427355+00:00", "value": {"mitigation_remediation": ["Apply the vendor's patch to upgrade to WeGIA version 3.6.6 or later."], "summary": {"action": "Immediate Patch", "impact": "Data Compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of WeGIA prior to version 3.6.6, including 3.6.5 and earlier. The vendor identified the affected product as LabRedesCefetRJ:WeGIA.", "description_and_impact": "WeGIA, a web manager for charitable institutions, contains a SQL injection flaw in the restaurar_produto.php file. The id_produto value from the $_GET request is inserted directly into a SQL query without any parameterization or sanitization, allowing an attacker to manipulate the query argument. This flaw is a classic example of CWE-89 and could enable unauthorized reading, modification, or deletion of product data, and potentially broader database compromise if the attacker can elevate their privileges in the resulting SQL context.", "risk_and_exploitability": "The CVSS score for this issue is 8.8, indicating a high severity level. The EPSS score is less than 1%, suggesting that, at present, exploitation is unlikely but still possible in environments that expose the vulnerable endpoint. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would likely occur remotely through a crafted URL containing a malicious id_produto value, though the specific authentication state required is not detailed in the source information."}}}}, "created": "2026-03-12T09:56:48.593166+00:00", "updated": "2026-03-20T15:29:23.348790+00:00", "vendors": ["labredescefetrj", "labredescefetrj$PRODUCT$wegia"]}