CVE-2026-28411

Exploit

EPSS 0.27%
Veröffentlicht 27.02.2026 21:52:05
Zuletzt bearbeitet 03.03.2026 17:56:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wegia ≫ Wegia Version < 3.6.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.501

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

CWE-473 PHP External Variable Modification

A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-28411

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28411

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28411

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28411