CVE-2026-28408
Received Received - Intake
Unauthorized Data Injection in WeGIA adicionar_tipo_docs_atendido.php

Publication date: 2026-02-27

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-03
Generated
2026-05-27
AI Q&A
2026-02-28
EPSS Evaluated
2026-05-25
NVD
CVE-2026-28408
EUVD
EUVD-2026-9079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wegia wegia to 3.6.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in WeGIA, a web manager for charitable institutions, in versions prior to 3.6.5. The script adicionar_tipo_docs_atendido.php does not pass through the project's central controller and lacks its own authentication and permission checks. As a result, a malicious user can send requests directly to this script using tools like Postman or by accessing the file's URL, bypassing security controls.

This allows unauthorized external parties to inject large amounts of unauthorized data into the application server's storage.

The issue was fixed in version 3.6.5.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows attackers to inject unauthorized data into the server storage without any authentication or permission checks.

Such unauthorized data injection can lead to data integrity issues, potential data corruption, and unauthorized access to features meant only for employees.

Given the CVSS score of 9.8, the vulnerability has a high impact on confidentiality, integrity, and availability, meaning it could lead to significant compromise of the system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade WeGIA to version 3.6.5 or later, as this version fixes the issue by adding proper authentication and permission checks to the script adicionar_tipo_docs_atendido.php.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart