Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.
Published: 2026-02-27
Score: 10 Critical
EPSS: 1.4% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A critical Remote Code Execution vulnerability exists in the WeGIA application’s database restoration feature, permitting an attacker with administrative privileges to inject and run arbitrary OS commands by uploading a backup file with a specially crafted filename. The weakness is an OS Command Injection flaw (CWE-78) and allows full compromise of confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects WeGIA web managers from LabRedesCefetRJ, versions prior to 3.6.5. Version 3.6.5 and later contain the fix and are not vulnerable; no other affected versions are listed.

Risk and Exploitability

The CVSS v3 score is 10, indicating maximum severity, but the EPSS score is less than 1%, suggesting a very low probability of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Attackers must first bypass authentication to gain administrative access, then upload a crafted backup file; if successful, they can run any OS command on the server.

Generated by OpenCVE AI on April 16, 2026 at 15:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.5 or later to apply the vendor fix.
  • Delete any backup files that were uploaded with crafted filenames to eliminate the risk of residual payloads.
  • Implement file‑name validation or restrict the database restoration functionality to trusted administrators to prevent future injection attacks.

Generated by OpenCVE AI on April 16, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 27 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.
Title WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T21:58:36.963Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28409

cve-icon Vulnrichment

Updated: 2026-03-02T21:58:33.767Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T22:16:24.010

Modified: 2026-03-03T18:20:07.170

Link: CVE-2026-28409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses