WeGIA SQLi: Authenticated Users Can Impersonate Others
The National Vulnerability Database has disclosed CVE-2026-40285, a high-severity SQL injection vulnerability (CVSS 8.8) in WeGIA, a web manager for charitable institutions. Versions prior to 3.6.10 are affected. The flaw resides in dao/memorando/UsuarioDAO.php and exploits an insecure handling of the cpf_usuario POST parameter.
This vulnerability allows any authenticated user to overwrite their session-stored identity via extract($_REQUEST) in DespachoControle::verificarDespacho(). The attacker-controlled value is then directly interpolated into a raw SQL query. This means a low-privileged user can execute database queries under the identity of any other arbitrary user, including administrators, leading to full data compromise and manipulation.
For defenders, this is a critical access control bypass. The fact that it requires authentication doesn’t diminish its severity; once an attacker has a foothold, even a low-level one, they can effectively escalate privileges and operate as any other user. Organizations using WeGIA must immediately upgrade to version 3.6.10 to remediate this issue and review logs for any suspicious activity indicative of unauthorized identity changes or database access.
What This Means For You
- If your organization uses WeGIA, you are exposed to critical privilege escalation. Attackers can leverage even a basic authenticated account to impersonate any user, including administrators, and access or manipulate sensitive data. Patch to version 3.6.10 immediately and audit all database access logs for unusual activity, especially identity changes or queries from low-privileged accounts.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40285: WeGIA SQL Injection via cpf_usuario POST parameter
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40285 | SQLi | WeGIA web manager versions prior to 3.6.10 |
| CVE-2026-40285 | SQLi | Vulnerable file: dao/memorando/UsuarioDAO.php |
| CVE-2026-40285 | SQLi | Vulnerable parameter: cpf_usuario (POST parameter) |
| CVE-2026-40285 | SQLi | Vulnerable function: DespachoControle::verificarDespacho() via extract($_REQUEST) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Critical Thymeleaf Vulnerability Bypasses Injection Protections
CVE-2026-40478 — Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the...
Critical Thymeleaf Vulnerability Bypasses Injection Protections
CVE-2026-40477 — Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the...
wger Fitness Manager: Auth Bypass Grants Global Config Control
CVE-2026-40474 — wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin...