Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, when attempting to upload a file with malicious content to funcionario/docdependente_upload.php, the application responds with an overly descriptive error message. This leads to information disclosure, effectively increasing the attack surface by providing potential attackers with technical insights to refine their exploits. This vulnerability is fixed in 3.6.10.
Published: 2026-05-11
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in WeGIA’s file upload handling for the docdependente module. When an attacker uploads a file with malicious content, the application returns an overly detailed error message that reveals internal implementation details. This exposure falls under the Information Disclosure weakness (CWE‑200). The disclosed information could aid attackers in understanding the application's structure or in refining additional exploits, thereby increasing the overall attack surface.

Affected Systems

Affecting all installations of WeGIA prior to version 3.6.10, including the LabRedesCefetRJ WeGIA web manager for charitable institutions. The issue resides in funcionario/docdependente_upload.php and is fixed in release 3.6.10 and later.

Risk and Exploitability

While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the risk is rooted in the ability to glean technical details through normal usage of the file upload endpoint. The attack vector is inferred to be remote file upload via an authenticated or unauthenticated user with upload privileges. Due to the lack of an exploitable code execution path, the immediate threat is limited to information disclosure, yet it can facilitate more targeted attacks in the future.

Generated by OpenCVE AI on May 11, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.10 or later to apply the vendor fix
  • Restrict access to the funcionario/docdependente_upload.php endpoint to trusted users only
  • Configure the application to hide detailed error messages in production environments

Generated by OpenCVE AI on May 11, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, when attempting to upload a file with malicious content to funcionario/docdependente_upload.php, the application responds with an overly descriptive error message. This leads to information disclosure, effectively increasing the attack surface by providing potential attackers with technical insights to refine their exploits. This vulnerability is fixed in 3.6.10.
Title WeGIA: Error Handling Upload DocDependente
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:39:26.848Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42873

cve-icon Vulnrichment

Updated: 2026-05-12T13:38:58.259Z

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:43.833

Modified: 2026-05-12T14:17:05.567

Link: CVE-2026-42873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:30:16Z

Weaknesses