CRITICAL🇵🇱 Wersja polska

CVE-2026-28409

CVSS 10.0v3.1pub. 2026-02-27upd. 2026-03-03

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.

🤖 AI Analysis
How it works

The vulnerability occurs in the database restore function of the WeGIA application. The attacker uploads a backup file with a specially crafted filename that contains malicious system commands. The application does not properly sanitize the uploaded filename before using it in a system command call (CWE-78), leading to execution of embedded commands with the privileges of the server process.

Impact

The attacker gains the ability to execute arbitrary operating system commands on the server, which may lead to complete system takeover, data theft, data destruction, or further lateral movement in the network.

Mitigation & patch

The WeGIA application should be updated to version 3.6.5, which eliminates the described vulnerability. Details available in the vendor references: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5m5g-q2vv-rv3r

Who is affected

WeGIA application in versions before 3.6.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Wegia

    APP
    Wegia
    < 3.6.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth BypassCommand Injection
CWE
References

Related vulnerabilities

CVE-2026-33134CRITICAL9.3PL ✓ten sam produkt

SQL Injection w WeGIA — kompromitacja bazy danych przez parametr id_produto

CVE-2026-33136CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu przez parametr sccd

CVE-2026-33135CRITICAL9.3PL ✓ten sam produkt

Reflected XSS w WeGIA — wstrzyknięcie kodu JS przez parametr GET

CVE-2026-31896CRITICAL9.8PL ✓ten sam produkt

SQL Injection w WeGIA – nieautoryzowane wykonanie poleceń SQL

CVE-2026-28408CRITICAL9.8PL ✓ten sam produkt

WeGIA – pominięcie uwierzytelnienia w adicionar_tipo_docs_atendido.php