CVE-2026-28411 — CRITICAL (9.8)

Q: How severe is CVE-2026-28411?

CVE-2026-28411 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-28411?

Check the references section above for vendor advisories and patch information. Affected products include: Wegia Wegia.

Vulnerability Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Wegia	Wegia	< 3.6.5

Related Weaknesses (CWE)

CWE-473 CWE-288

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7ExploitVendor Advisory

FAQ

What is CVE-2026-28411?

CVE-2026-28411 is a vulnerability with a CVSS score of 9.8 (CRITICAL). WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite loc...

How severe is CVE-2026-28411?

CVE-2026-28411 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-28411?

Check the references section above for vendor advisories and patch information. Affected products include: Wegia Wegia.