Cyber Posture

CVE-2026-28409

CriticalPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0143 80.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported…

more

Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by validating and sanitizing the crafted filename input in the database restoration functionality.

SI-2 Flaw Remediation good match
prevent

Remediates the specific RCE flaw by identifying, patching to version 3.6.5, and deploying the fix promptly.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict administrative access required to reach and exploit the database restoration feature.

Security SummaryAI

CVE-2026-28409 is a critical remote code execution (RCE) vulnerability with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting WeGIA, an open-source web manager for charitable institutions. The flaw, tied to CWE-78 (OS Command Injection), resides in the application's database restoration functionality prior to version 3.6.5. It allows attackers to execute arbitrary operating system commands on the server by uploading a backup file with a specially crafted filename.

An attacker requires administrative access to exploit this vulnerability, which can be obtained through a previously reported authentication bypass vulnerability. Once authenticated as an admin, the attacker can leverage the database restoration feature to inject and execute OS commands remotely over the network with low complexity and no user interaction required. Successful exploitation grants full control over the server, enabling high-impact confidentiality, integrity, and availability compromises due to the changed scope.

The GitHub Security Advisory (GHSA-5m5g-q2vv-rv3r) confirms that WeGIA version 3.6.5 addresses and fixes the issue. Security practitioners should immediately upgrade to version 3.6.5 or later and review access controls, particularly around administrative privileges and backup restoration features, while monitoring for related authentication bypass vulnerabilities.

Details

CWE(s)
CWE-78

Affected Products

wegia
wegia
≤ 3.6.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Critical RCE via OS command injection (CWE-78) in a public-facing web application's database restoration feature directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References