Description
WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.
Published: 2026-03-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Update
AI Analysis

Impact

WeGIA's backup restore function in version 3.6.5 uses PHP's PharData class to extract tar.gz archives and then reads SQL files with file_get_contents() after a glob(). The implementation does not verify whether extracted archive members are symbolic links. An attacker can upload a crafted archive containing symlinks that point to sensitive files on the server, leading to arbitrary file reads and confidentiality compromise. This vulnerability is identified as CWE‑59 (OS Command Injection/Path Traversal).

Affected Systems

The affected product is WeGIA Web Manager from LabRedesCefetRJ, specifically version 3.6.5. The cpe identified is cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity. The EPSS score is <1%, suggesting low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. The attack requires the ability to upload a backup archive and trigger its restoration, which typically implies local or administrative access to the server. Once the condition is met, the attacker can read arbitrary files exposed to the PHP process. Overall, the risk is moderate and primarily relevant to systems that allow untrusted users to upload or restore backups without validation.

Generated by OpenCVE AI on March 17, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.6 or later, where the extraction and file reading steps validate against symbolic links.
  • If immediate upgrade is not possible, restrict the backup restore feature to trusted administrators only and monitor for anomalous uploads.
  • Consider temporarily disabling the backup restore functionality until a patch is applied.
  • Review upload permissions and file system paths to ensure no unintended access to sensitive directories.

Generated by OpenCVE AI on March 17, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Wed, 11 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.
Title WeGIA affected by arbitrary file read via symlink in backup restore
Weaknesses CWE-59
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:03:42.724Z

Reserved: 2026-03-09T21:59:02.688Z

Link: CVE-2026-31894

cve-icon Vulnrichment

Updated: 2026-03-12T20:03:39.738Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:15.460

Modified: 2026-03-13T20:22:24.810

Link: CVE-2026-31894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:24Z

Weaknesses