CVE-2026-28411

CRITICAL

WeGIA <3.6.5 - Auth Bypass

Title source: llm

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

References (1)

[Vendor Advisory] https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7

Scores

CVSS v3 9.8

EPSS 0.0025

EPSS Percentile 47.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-473 CWE-288

Status published

Products (1)

wegia/wegia < 3.6.5

Published Feb 27, 2026

Tracked Since Feb 28, 2026