CVE-2026-33133 in WeGIA
Summary
by MITRE • 03/20/2026
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33133 affects WeGIA, a web-based management system designed for charitable institutions. This application serves as a critical infrastructure component for managing charitable organizations' data and operations, making it a potentially attractive target for malicious actors seeking unauthorized access to sensitive information. The vulnerability exists within the loadBackupDB() function which handles database backup restoration processes, representing a fundamental security flaw in the application's input validation mechanisms. The affected versions 3.6.5 and 3.6.6 contain a critical design oversight that allows for arbitrary code execution through database operations.
The technical flaw manifests in the absence of any content validation during the SQL file import process within the loadBackupDB() function. This function accepts backup archives containing SQL statements without performing any sanitization or validation checks on the imported content. The vulnerability stems from the insecure handling of user-supplied data where the application directly executes SQL commands from uploaded files without proper filtering or verification. This represents a classic case of unrestricted file upload vulnerability combined with SQL injection principles, where an attacker can inject malicious SQL operations into the database. The issue was introduced in commit 370104c, indicating a specific code change that weakened the input validation controls for database restoration operations. The lack of proper access controls and input sanitization creates a pathway for privilege escalation and data manipulation.
The operational impact of this vulnerability is severe and multifaceted, potentially allowing attackers to gain full administrative control over the charitable institution's database. An attacker can create rogue administrator accounts, modify existing user credentials, and execute any database operation that the application's database user permissions allow. This includes data exfiltration, modification of charitable records, financial data manipulation, and potential disruption of critical organizational services. The vulnerability affects the integrity, confidentiality, and availability of the system, as unauthorized users could alter or delete critical charitable institution data. The implications extend beyond simple data theft, as this could compromise the trust and operations of charitable organizations that rely on accurate and secure data management. The attack surface is particularly concerning given that charitable institutions often handle sensitive donor information, financial records, and operational data that requires strict security controls.
The vulnerability aligns with CWE-434, which describes insecure file upload handling, and represents a direct violation of secure coding practices for input validation and sanitization. From an ATT&CK framework perspective, this vulnerability maps to T1078 for valid accounts and T1566 for phishing, as attackers could leverage the created administrative accounts to maintain persistent access. The mitigation strategy requires immediate deployment of version 3.6.7 which includes proper input validation and sanitization of SQL content during backup restoration processes. Organizations should implement additional security measures such as restricting file upload permissions, implementing strict file type validation, and conducting regular security assessments of database operations. The fix should include proper parameterization of SQL queries, input sanitization, and access controls to prevent unauthorized database modifications. Security teams should also consider implementing database activity monitoring and anomaly detection to identify potential exploitation attempts and maintain audit trails of database operations.