Cve-2026-35395 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-35395/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 21:16:21 +0000WeGIA Web Manager SQL Injection Vulnerability (CVE-2026-35395)https://feed.craftedsignal.io/briefs/2026-04-wegia-sql-injection/Mon, 06 Apr 2026 21:16:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wegia-sql-injection/WeGIA web manager versions prior to 3.6.9 are vulnerable to SQL injection, allowing authenticated users to execute arbitrary SQL commands by directly interpolating the id_memorando parameter from $_REQUEST into SQL queries without validation, as identified by CVE-2026-35395.WeGIA (Web gerenciador para instituições assistenciais) is a web manager for charitable institutions. Versions prior to 3.6.9 are susceptible to a critical SQL injection vulnerability (CVE-2026-35395) found in the dao/memorando/DespachoDAO.php file. The id_memorando parameter, extracted from the $_REQUEST array, is directly incorporated into SQL queries without any validation or sanitization. This flaw enables authenticated users with low privileges to inject arbitrary SQL commands, potentially leading to complete database compromise. Successful exploitation could result in data breaches, modification of sensitive information, and denial-of-service conditions. Defenders should prioritize upgrading to version 3.6.9 or applying provided patches immediately.

Attack Chain

  1. An authenticated user logs into the WeGIA web application.
  2. The user navigates to a page that triggers the execution of dao/memorando/DespachoDAO.php.
  3. The application extracts the id_memorando parameter from the $_REQUEST array using the HTTP GET or POST method.
  4. The attacker crafts a malicious id_memorando parameter containing SQL injection payloads (e.g., 1; DROP TABLE users; --).
  5. The application directly interpolates the attacker-controlled id_memorando parameter into an SQL query without proper sanitization within the DespachoDAO.php file.
  6. The database server executes the injected SQL command, allowing the attacker to manipulate database records, read sensitive data, or execute arbitrary commands.
  7. The attacker may exfiltrate sensitive data from the database, such as user credentials, financial information, or confidential memorandums.
  8. The attacker achieves complete database compromise, potentially leading to a full system takeover.

Impact

The SQL injection vulnerability in WeGIA versions prior to 3.6.9 poses a significant risk to charitable institutions using the software. Successful exploitation can lead to unauthorized access to sensitive donor information, financial records, and confidential communications. The potential impact includes data breaches, financial losses, reputational damage, and legal liabilities. Given the nature of the targeted institutions, this vulnerability could severely disrupt their operations and erode public trust, potentially affecting thousands of individuals. Organizations that do not apply the patch are vulnerable to data breaches.

Recommendation

  • Immediately upgrade WeGIA to version 3.6.9 to remediate the SQL injection vulnerability described in CVE-2026-35395.
  • Implement input validation and sanitization for all user-supplied data, especially the id_memorando parameter in DespachoDAO.php, to prevent future SQL injection attacks.
  • Deploy the Sigma rule “Detect Suspicious WeGIA SQL Injection Attempts” to your SIEM and tune it for your environment to detect exploitation attempts.
  • Monitor web server logs for suspicious requests containing SQL injection payloads targeting the dao/memorando/DespachoDAO.php endpoint.
  • Restrict database access privileges to the minimum required for WeGIA to function correctly.
]]>criticaladvisorycve-2026-35395sql-injectionweb-application