CVE-2026-28408
- Source
- https://cve.org/CVERecord?id=CVE-2026-28408
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28408.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-28408
- Aliases
-
- GHSA-xq3w-xwxj-fg2q
- Published
- 2026-02-27T21:49:14.747Z
- Modified
- 2026-03-03T02:34:04.262412Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- WeGIA lacks authentication verification in adicionar_tipo_docs_atendido.php
- Details
-
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionartipodocs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
- Database specific
{ "cwe_ids": [ "CWE-287", "CWE-862" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28408.json" }- References
Affected packages
Git / github.com/labredescefetrj/wegia
Affected versions
0.*
0.9.4-beta
3.*
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0
3.4.1
3.4.10
3.4.11
3.4.12
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.6.0
3.6.1
3.6.2
3.6.4
v1.*
v1.0
v2.*
v2.0
v2.0-beta
v3.*
v3.0
v3.1
v3.2.0
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.6
v3.2.7
v3.2.8
v3.2.9