CRITICAL🇵🇱 Wersja polska

CVE-2026-28408

CVSS 9.8v3.1pub. 2026-02-27upd. 2026-03-03

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.

🤖 AI Analysis
How it works

The script adicionar_tipo_docs_atendido.php is directly accessible via URL or tools like Postman without passing through the application's central controller. Since it does not implement its own authentication or permission controls (CWE-287, CWE-862), any external user can send HTTP requests to it. In this way, an attacker can use functionality intended for logged-in employees and uncontrollably write large amounts of data to the server's disk space.

Impact

An attacker without any authentication can gain access to functions reserved for employees and mass inject unauthorized data into the database/server resources, which may lead to data integrity violations, disk space exhaustion, and application disruption.

Mitigation & patch

WeGIA should be updated to version 3.6.5, which introduces a fix eliminating the vulnerability by including the script in the project's central access control mechanism.

Who is affected

WeGIA in versions before 3.6.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Wegia

    APP
    Wegia
    < 3.6.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-33134CRITICAL9.3PL ✓ten sam produkt

SQL Injection w WeGIA — kompromitacja bazy danych przez parametr id_produto

CVE-2026-33136CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu przez parametr sccd

CVE-2026-33135CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu JS przez parametr GET

CVE-2026-31896CRITICAL9.8PL ✓ten sam produkt

SQL Injection w WeGIA – nieautoryzowane wykonanie poleceń SQL

CVE-2026-28409CRITICAL10.0PL ✓ten sam produkt

WeGIA – RCE przez command injection w funkcji przywracania bazy danych