← Retour aux CVEs
CVE-2026-28408
CRITICAL9.8
Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie2/27/2026
Derniere modification3/3/2026
Sourcenvd
Observations honeypot0
Produits affectes
wegia:wegia
Faiblesses (CWE)
CWE-287CWE-862
References
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xq3w-xwxj-fg2q(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.