# CVE-2026-40285

> Vulnerability · severity: **HIGH** (CVSS 8.8).

## Description

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(), and the attacker-controlled value is then interpolated directly into a raw SQL query, allowing any authenticated user to query the database under an arbitrary identity. Version 3.6.10 fixes the issue.

## Key facts

- **CVE ID:** CVE-2026-40285
- **Published:** 2026-04-17
- **CVSS severity:** HIGH
- **CVSS base score:** 8.8
- **CWE codes:** CWE-89, CWE-302, CWE-473

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40285

## Citation

> AI Analytics. CVE-2026-40285. Retrieved 2026-07-15 from https://api.ai-analytics.org/cve/CVE-2026-40285. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*