Labredescefetrj Wegia vulnerabilities
173 known vulnerabilities affecting labredescefetrj/wegia.
Total CVEs
173
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL36HIGH44MEDIUM92
Vulnerabilities
Page 4 of 9
CVE-2026-33991P3HIGHCVSS 8.8fixed in 3.6.72026-03-27
CVE-2026-33991 [HIGH] CWE-89 CVE-2026-33991: WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sis
WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches the vulnerability.
nvd
CVE-2025-58453P3HIGHCVSS 8.2fixed in 3.4.112025-09-08
CVE-2025-58453 [HIGH] CWE-89 CVE-2025-58453: WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in
WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in WeGIA versions 3.4.10 and prior in the endpoint /WeGIA/html/memorando/exibe_anexo.php, in the id_anexo parameter. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. Version 3.4.11 co
nvd
CVE-2025-58454P3HIGHCVSS 8.2fixed in 3.4.112025-09-08
CVE-2025-58454 [HIGH] CWE-89 CVE-2025-58454: WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in
WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in WeGIA versions 3.4.10 and prior inthe endpoint /WeGIA/html/memorando/listar_despachos.php, in the id_memorando parameter. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. Version 3
nvd
CVE-2025-52474P3CRITICALCVSS 9.8fixed in 3.4.22025-06-19
CVE-2025-52474 [CRITICAL] CWE-89 CVE-2025-52474: WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, a SQL Injection vulnerab
WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, a SQL Injection vulnerability was identified in the id parameter of the /WeGIA/controle/control.php endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. This issue has been
nvd
CVE-2025-53938P3HIGHCVSS 7.5fixed in 3.4.52025-07-16
CVE-2025-53938 [HIGH] CWE-306 CVE-2025-53938: WeGIA is an open source web manager with a focus on the Portuguese language and charitable instituti
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Authentication Bypass vulnerability was identified in the `/dao/verificar_recursos_cargo.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows unauthenticated users to access protected application functionaliti
nvd
CVE-2025-61665P3HIGHCVSS 7.5fixed in 3.5.02025-10-02
CVE-2025-61665 [HIGH] CWE-200 CVE-2025-61665: WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and bel
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring auth
nvd
CVE-2026-33133P3HIGHCVSS 7.2v>= 3.6.5, < 3.6.72026-03-20
CVE-2026-33133 [HIGH] CWE-89 CVE-2026-33133: WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB()
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any databas
nvd
CVE-2026-23723P3HIGHCVSS 7.2fixed in 3.6.22026-01-16
CVE-2026-23723 [HIGH] CWE-89 CVE-2026-23723: WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection v
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vul
nvd
CVE-2026-31894P3HIGHCVSS 7.5v>= 3.6.5, < 3.6.62026-03-11
CVE-2026-31894 [HIGH] CWE-59 CVE-2026-31894: WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts ta
WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. T
nvd
CVE-2025-26615P3HIGHCVSS 7.5fixed in 3.2.142025-02-18
CVE-2025-26615 [HIGH] CWE-22 CVE-2025-26615: WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Pa
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Path Traversal vulnerability was discovered in the WeGIA application, `examples.php` endpoint. This vulnerability could allow an attacker to gain unauthorized access to sensitive information stored in `config.php`. `config.php` contains information that co
nvd
CVE-2025-26616P3HIGHCVSS 7.5fixed in 3.2.142025-02-18
CVE-2025-26616 [HIGH] CWE-22 CVE-2025-26616: WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Pa
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Path Traversal vulnerability was discovered in the WeGIA application, `exportar_dump.php` endpoint. This vulnerability could allow an attacker to gain unauthorized access to sensitive information stored in `config.php`. `config.php` contains information th
nvd
CVE-2025-55171P3HIGHCVSS 7.5fixed in 3.4.82025-08-12
CVE-2025-55171 [HIGH] CWE-287 CVE-2025-55171: WeGIA is an open source web manager with a focus on the Portuguese language and charitable instituti
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, the application does not check authentication at endpoint /html/personalizacao_remover.php allowing anonymous attacker (without login) to delete any Image files at endpoint /html/personalizacao_remover.php by defining imagem
nvd
CVE-2026-40286P3HIGHCVSS 7.5fixed in 3.6.102026-04-17
CVE-2026-40286 [HIGH] CWE-79 CVE-2026-40286: WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) function. By injecting a payload into the 'Member Name' (Nome Sócio) field, the script is persistently stored in the database. Consequently, the payload is execu
nvd
CVE-2025-27419P3HIGHCVSS 7.5fixed in 3.2.162025-03-03
CVE-2025-27419 [HIGH] CWE-770 CVE-2025-27419: WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A De
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing aggressive spidering. The vulnerability is caused by recursive crawling of dynamically gener
nvd
CVE-2025-53531P3HIGHCVSS 7.5fixed in 3.3.02025-07-07
CVE-2025-53531 [HIGH] CWE-770 CVE-2025-53531: WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows
WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the fid parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elev
nvd
CVE-2025-53530P3HIGHCVSS 7.5fixed in 3.3.02025-07-07
CVE-2025-53530 [HIGH] CWE-770 CVE-2025-53530: WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows
WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the errorstr parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption,
nvd
CVE-2026-42871P3MEDIUMCVSS 6.9fixed in 3.7.02026-05-11
CVE-2026-42871 [MEDIUM] CWE-200 CVE-2026-42871: WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiar_do
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiar_docfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the backend infrastructure and expanding the attack surf
nvd
CVE-2026-40283P3HIGHCVSS 7.6fixed in 3.6.102026-04-17
CVE-2026-40283 [HIGH] CWE-79 CVE-2026-40283: WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue
nvd
CVE-2025-57764P3HIGHCVSS 8.2fixed in 3.4.72025-08-21
CVE-2025-57764 [HIGH] CWE-79 CVE-2025-57764: WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting
WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cargos.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.4.7.
nvd
CVE-2025-57765P3HIGHCVSS 8.2fixed in 3.4.72025-08-21
CVE-2025-57765 [HIGH] CWE-79 CVE-2025-57765: WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting
WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the pre_cadastro_adotante.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.4.7.
nvd