CVE-2026-28411
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the extract() function on the $_REQUEST superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| LabRedesCefetRJ | WeGIA | < 3.6.5 | affected |
Weaknesses
- CWE-288: CWE-288: Authentication Bypass Using an Alternate Path or Channel
- CWE-473: CWE-473: PHP External Variable Modification
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.