Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
WeGIA: Unauthenticated Access to Admin Areas
CVE-2026-28411
Summary
WeGIA, a web manager for charities, has a security flaw that allows anyone to access admin areas without a password. This can lead to unauthorized changes to the system. Update to version 3.6.5 or later to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wegia | wegia | <= 3.6.5 | – |
Original title
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite ...
Original description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.
nvd CVSS3.1
9.8
Vulnerability type
CWE-288
Authentication Bypass Using Alternate Path
CWE-473
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7 Exploit Vendor Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026