CVE-2026-28411

WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)`

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

INFO

Published Date :

2026-02-27T21:52:05.032Z

Last Modified :

2026-02-27T21:52:05.032Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-28411 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28411.

URL	Resource
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact