CVE-2026-28408
Received Received - Intake
Unauthorized Data Injection in WeGIA adicionar_tipo_docs_atendido.php

Publication date: 2026-02-27

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28408
EUVD
EUVD-2026-9079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wegia wegia to 3.6.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WeGIA, a web manager for charitable institutions, in versions prior to 3.6.5. The script adicionar_tipo_docs_atendido.php does not pass through the project's central controller and lacks its own authentication and permission checks. As a result, a malicious user can send requests directly to this script using tools like Postman or by accessing the file's URL, bypassing security controls.

This allows unauthorized external parties to inject large amounts of unauthorized data into the application server's storage.

The issue was fixed in version 3.6.5.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to inject unauthorized data into the server storage without any authentication or permission checks.

Such unauthorized data injection can lead to data integrity issues, potential data corruption, and unauthorized access to features meant only for employees.

Given the CVSS score of 9.8, the vulnerability has a high impact on confidentiality, integrity, and availability, meaning it could lead to significant compromise of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade WeGIA to version 3.6.5 or later, as this version fixes the issue by adding proper authentication and permission checks to the script adicionar_tipo_docs_atendido.php.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28408. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart