CVE-2026-28411 | THREATINT

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

PUBLISHED Reserved 2026-02-27 | Published 2026-02-27 | Updated 2026-03-02 | Assigner GitHub_M

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-288: Authentication Bypass Using an Alternate Path or Channel

CWE-473: PHP External Variable Modification

Product status

< 3.6.5

affected

References

github.com/.../WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7

cve.org (CVE-2026-28411)

nvd.nist.gov (CVE-2026-28411)

Download JSON