CVE-2026-35395 - Vulnerability Analysis

Overview

WeGIA < 3.6.9 contains a SQL injection caused by unvalidated id_memorando parameter in dao/memorando/DespachoDAO.php, letting authenticated users execute arbitrary SQL commands against the database, exploit requires authentication.

Severity & Score

Impact

Authenticated users can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or deletion.

Mitigation

Update to version 3.6.9 or later.

References

• https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43jm-pcrq-w7gv

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 7, 2026

🟠 CVE-2026-35395 - High (8.8) WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_R... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35395/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner