CRITICAL🇵🇱 Wersja polska

CVE-2026-28411

CVSS 9.8v3.1pub. 2026-02-27upd. 2026-03-03

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

🤖 AI Analysis
How it works

The vulnerability results from unsafe invocation of the `extract()` function on the `$_REQUEST` array in multiple PHP scripts of the WeGIA application. The `extract()` function imports key-value pairs from an array as local variables, allowing an attacker to supply arbitrary HTTP parameters (GET or POST) and overwrite existing local variables in the script. In this way, an attacker can modify variables responsible for permission control and authentication state, effectively bypassing all identity verification mechanisms. The attack requires no authentication, user interaction, or special network conditions.

Impact

Attackers gain unauthorized access to WeGIA administrative panels and protected application areas. Consequently, it is possible to disclose, modify, or delete data processed by the application, which in the case of a charitable institution management system may result in leakage of sensitive beneficiary and donor data.

Mitigation & patch

WeGIA should be updated to version 3.6.5 or newer, which removes the vulnerability. Details are available in the project's official security bulletin at the address indicated in the references.

Who is affected

WeGIA in versions prior to 3.6.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Wegia

    APP
    Wegia
    < 3.6.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-33134CRITICAL9.3PL ✓ten sam produkt

SQL Injection w WeGIA — kompromitacja bazy danych przez parametr id_produto

CVE-2026-33136CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu przez parametr sccd

CVE-2026-33135CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu JS przez parametr GET

CVE-2026-31896CRITICAL9.8PL ✓ten sam produkt

SQL Injection w WeGIA – nieautoryzowane wykonanie poleceń SQL

CVE-2026-28408CRITICAL9.8PL ✓ten sam produkt

WeGIA – pominięcie uwierzytelnienia w adicionar_tipo_docs_atendido.php