Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
Published: 2026-02-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass allowing unrestricted data injection
Action: Immediate Patch
AI Analysis

Impact

A missing authentication and permission validation in the adicionar_tipo_docs_atendido.php script exposes the WeGIA system to unauthorized users. Because the script bypasses the central controller, an attacker can submit crafted requests that the application blindly accepts and persists as new records, effectively inserting large volumes of unauthorized data into the storage. This flaw permits privilege escalation to employee‑only functions and jeopardizes data integrity and confidentiality within the charitable organization’s records.

Affected Systems

The WeGIA web manager from LabRedesCefetRJ, in any version earlier than 3.6.5, is affected. Version 3.6.5 and later include a fix that enforces proper authentication checks for this endpoint.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is considered critical. The EPSS score is reported as less than 1 %, indicating a low probability of widespread exploitation at the time of analysis, and the issue is not listed in CISA’s KEV catalog. However, the attack vector is straightforward: an attacker can issue an HTTP request directly to the vulnerable script using tools such as Postman or by navigating to the script’s URL, thereby triggering the unauthorized data insertion.

Generated by OpenCVE AI on April 16, 2026 at 15:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.5 or later to apply the vendor‑provided fix.
  • Configure the web server to prohibit direct access to the adicionar_tipo_docs_atendido.php script, for example by placing it inside a protected directory or using an .htaccess rule that requires authentication.
  • Review all application entry points to ensure they perform proper authentication and permission checks before executing business logic.
  • Audit the application logs for attempts to invoke adicionar_tipo_docs_atendido.php without legitimate credentials and investigate any suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 27 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
Title WeGIA lacks authentication verification in adicionar_tipo_docs_atendido.php
Weaknesses CWE-287
CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T21:59:11.926Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28408

cve-icon Vulnrichment

Updated: 2026-03-02T21:59:08.011Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T22:16:23.847

Modified: 2026-03-03T18:22:19.377

Link: CVE-2026-28408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses