JustAppSec
CRITICAL SeverityCVSS 3.19.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2026-28411

Last updated Feb 27, 2026 · Published Feb 27, 2026

← Back to list

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

Affected products

1 listed
  • LabRedesCefetRJ:WeGIA

Mappings

CWE

CWE-288; CWE-473

CAPEC

None listed.

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms