QwikSec

Security Database

CVE

CWE

Training

CVE-2026-33133

Published: Mar 20, 2026

Modified: Mar 24, 2026

PUBLISHED

Description

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.

Vendor	Product	Versions
LabRedesCefetRJ	WeGIA	affected `>= 3.6.5, < 3.6.7`

Weaknesses (CWE)

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qqff-p8fc-hg5f

x_refsource_CONFIRM

https://github.com/LabRedesCefetRJ/WeGIA/pull/1459

x_refsource_MISC

https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.