CVE-2026-33991HIGH 8.8EPSS p30.9%

CVE-2026-33991CVE-2026-33991

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches the vulnerability.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.9% · 2026-06-19T12:03:05Z
Published2026-03-27
Last modified2026-03-31

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-74xm-6wgf-x37j
  2. https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-74xm-6wgf-x37j

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31896
CVE
CVE-2026-35395
CVE
CVE-2026-31895
CVE
CVE-2025-53823
CVE
CVE-2025-24958
CVE
CVE-2026-40285
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.