CVE-2026-28411 - Vulnerability Details

- WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)`

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

Published: 2026-02-27

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in WeGIA arises from the unsafe use of PHP’s extract() function on the $_REQUEST superglobal. By supplying specially crafted query parameters, an attacker can overwrite internal variables, including those that control authentication flow, thereby bypassing login checks and gaining unrestricted administrative privileges. This flaw is classified as a high‑severity authentication bypass, with a CVSS base score of 9.8, and the associated weaknesses are identified as CWE‑288 and CWE‑473.

Affected Systems

Only the WeGIA web manager produced by LabRedesCefetRJ is affected. The flaw exists in all releases prior to version 3.6.5. Administrators running any of those earlier versions are exposed to the risk until they apply the vendor‑supplied fix.

Risk and Exploitability

The risk is significant: the flaw can be exploited by any internet‑connected user without authentication, given that the affected scripts are reachable via standard HTTP requests. Despite the very low EPSS probability (< 1 %) and absence from the CISA KEV catalog, the high CVSS score and complete loss of authentication make it a critical threat that requires urgent attention. An attacker can craft a request containing variables such as is_admin=1 to overwrite the session control logic and elevate privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LabRedesCefetRJ

WeGIA

affected

Version	Status	Constraints
`< 3.6.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Labredescefetrj

Wegia

100%

Version	Status	Scheme	Platform
`[0,3.6.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WeGIA to version 3.6.5 or later, which removes the vulnerable extract() usage.
If an upgrade cannot be performed immediately, edit the PHP scripts that call extract($_REQUEST) to comment out or delete those statements, and replace them with explicit, filtered input handling or use of filter_input().
Verify that the administration interface requires proper authentication and that session variables are not overwritten by user input; enable strict session handling and log authentication events to detect suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00325.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7

History

Tue, 03 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wegia Wegia wegia
CPEs		cpe:2.3:a:wegia:wegia::::::::
Vendors & Products		Wegia Wegia wegia

Mon, 02 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Labredescefetrj Labredescefetrj wegia
Vendors & Products		Labredescefetrj Labredescefetrj wegia

Fri, 27 Feb 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.
Title		WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)`
Weaknesses		CWE-288 CWE-473
References		https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Labredescefetrj Wegia

Wegia Wegia

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-27T21:52:05.032Z

Updated: 2026-03-02T21:58:06.757Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28411

Vulnrichment

Updated: 2026-03-02T21:58:01.662Z

NVD

Status : Analyzed

Published: 2026-02-27T22:16:24.170

Modified: 2026-03-03T17:56:18.417

Link: CVE-2026-28411

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object