CVE-2026-28411

CriticalPublic PoC

Published: 27 February 2026

Published

27 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0032 55.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged…

to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the unsafe extract() on $_REQUEST by requiring validation of untrusted HTTP inputs to prevent local variable overwrites and authentication bypass.

SI-2 Flaw Remediation good match

preventrecover

Ensures timely patching of the specific flaw in WeGIA versions prior to 3.6.5, directly addressing the CVE as confirmed by the vendor fix.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls to protected areas, limiting unauthorized access even if authentication variables are overwritten by malicious requests.

Security SummaryAI

CVE-2026-28411 is a critical vulnerability in WeGIA, a web manager application for charitable institutions, affecting versions prior to 3.6.5. It arises from an unsafe use of the PHP `extract()` function on the `$_REQUEST` superglobal across multiple scripts, enabling attackers to overwrite local variables. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-473 (PHP External Variable Modification).

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction or privileges needed. By sending crafted HTTP requests that populate `$_REQUEST` with malicious parameter values, the attacker overwrites key local variables, completely bypassing authentication mechanisms and gaining unauthorized access to administrative interfaces and other protected areas of the WeGIA application.

The GitHub security advisory (GHSA-g7r9-hxc8-8vh7) at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7 documents the flaw, confirming that upgrading to WeGIA version 3.6.5 addresses the issue by fixing the improper `extract()` usage.

Details

CWE(s): CWE-288 CWE-473

Affected Products

wegia

≤ 3.6.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-28411 enables unauthenticated remote exploitation of a public-facing web application via crafted HTTP requests, directly bypassing authentication to access protected administrative interfaces.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7
Exploit, Vendor Advisory · security-advisories@github.com