Home / Vulnerability Intelligence / CVE-2026-31896

CVE-2026-31896 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 12, 2026

WeGIA - SQL Injection

Published: March 11, 2026Updated: March 12, 2026Remote Exploitable

Overview

WeGIA < 3.6.6 contains a SQL injection caused by unsanitized use of extract($_REQUEST) in remover_produto_ocultar.php, letting authenticated or auth-bypassed attackers execute arbitrary SQL commands.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 2.9%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary SQL commands to exfiltrate data or cause denial of service via time delays.

Mitigation

Upgrade to version 3.6.6 or later.

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7g3-87cr-8m83

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 12, 2026

⚠️ CRITICAL: CVE-2026-31896 in WeGIA <3.6.6 enables unauthenticated SQL injection via remover_produto_ocultar.php. Attackers can read or modify DB data. Patch to 3.6.6+ ASAP or apply WAF rules. Details: https://radar.offseq.com/threat/cve-2026-31896-cwe-89-improper-neutralization-of-s-90bf525e #OffSeq #SQLInjection #InfoSec

View original post

Related Resources

Details

CVE ID: CVE-2026-31896
Severity: Critical
CVSS Score: 9.8
Type: sql_injection
Status: unconfirmed
EPSS: 2.9%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

2.9%Probability of exploitation in the next 30 days