CVE-2026-31894

Source
https://cve.org/CVERecord?id=CVE-2026-31894
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31894.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31894
Aliases
  • GHSA-6mmm-27h8-8g55
Published
2026-03-11T19:05:51.687Z
Modified
2026-04-02T13:24:07.128741Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
WeGIA affected by arbitrary file read via symlink in backup restore
Details

WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and filegetcontents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.

Database specific
{
    "cwe_ids": [
        "CWE-59"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31894.json"
}
References

Affected packages

Git / github.com/labredescefetrj/wegia

Affected ranges

Type
GIT
Repo
https://github.com/labredescefetrj/wegia
Events

Affected versions

3.*
3.6.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31894.json"