CVE-2026-28411
- Source
- https://cve.org/CVERecord?id=CVE-2026-28411
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28411.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-28411
- Aliases
-
- GHSA-g7r9-hxc8-8vh7
- Published
- 2026-02-27T21:52:05.032Z
- Modified
- 2026-03-03T02:34:33.029166Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)`
- Details
-
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the
extract()function on the$_REQUESTsuperglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28411.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-288", "CWE-473" ] }- References
Affected packages
Git / github.com/labredescefetrj/wegia
Affected versions
0.*
0.9.4-beta
3.*
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0
3.4.1
3.4.10
3.4.11
3.4.12
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.6.0
3.6.1
3.6.2
3.6.4
v1.*
v1.0
v2.*
v2.0
v2.0-beta
v3.*
v3.0
v3.1
v3.2.0
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.6
v3.2.7
v3.2.8
v3.2.9