WeGIA Web Manager versions prior to 3.6.6 contain a high-severity SQL injection vulnerability (CVE-2026-33134, CVSS 8.8) in the `id_produto` GET parameter that allows authenticated attackers to execute arbitrary SQL commands, enabling full database enumeration, extraction, or manipulation. No active exploitation has been reported and EPSS is low, but the authentication requirement provides limited protection given that valid credentials are frequently available to threat actors through phishing or credential reuse. Organizations running WeGIA should upgrade to v3.6.6 or later immediately and apply WAF controls as an interim measure if patching is delayed.