Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
WeGIA Web Manager: Unrestricted Access to Employee Features
CVE-2026-28408
Summary
A flaw in WeGIA's web manager allowed unauthorized users to access features meant for employees, potentially allowing them to inject a large amount of unauthorized data into the application. This is fixed in version 3.6.5, so update to this version to prevent this issue. If you can't update immediately, consider limiting access to the affected feature until you can update.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wegia | wegia | <= 3.6.5 | – |
Original title
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its...
Original description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
nvd CVSS3.1
9.8
Vulnerability type
CWE-287
Improper Authentication
CWE-862
Missing Authorization
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xq3w-xwxj-fg2q Exploit Vendor Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026