Executive Summary

CVE-2026-42873 affects WeGIA, a web manager for charitable institutions, specifically versions 3.6.9 and earlier. The vulnerability occurs in the file upload functionality at funcionario/docdependente_upload.php. When a user attempts to upload a malicious file, the application responds with overly detailed error messages that disclose sensitive technical information.

This information leakage can reveal details such as permitted file extensions, buffer sizes, or image processing libraries, which attackers could use to refine their exploits. The vulnerability is due to improper error handling and is fixed in version 3.6.10.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability leads to information disclosure by providing overly descriptive error messages when malicious files are uploaded. This increases the attack surface by giving potential attackers technical insights that can help them craft more effective attacks.

However, the overall impact is limited as the CVSS v3 base score is low (0.0 to 3.1), indicating it does not directly affect confidentiality, integrity, or availability. The attack requires low privileges and no user interaction, but the scope remains unchanged.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to upload a malicious file to the endpoint funcionario/docdependente_upload.php on the WeGIA web manager application. If the application returns overly descriptive error messages revealing technical details such as permitted file extensions, buffer sizes, or image processing libraries, it indicates the presence of the vulnerability.

A practical approach is to use tools like curl or wget to simulate a file upload with crafted malicious content and observe the error response.

• Example curl command to test the upload endpoint: curl -X POST -F "file=@malicious_file.txt" https://your-wegia-domain/WeGIA/html/funcionario/docdependente_upload.php -v
• Check the response for overly detailed error messages that disclose internal system information.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes information disclosure through overly descriptive error messages during file uploads, which could potentially expose technical details to attackers.

However, the CVSS score and description indicate that it does not directly affect confidentiality, integrity, or availability of sensitive data.

Given this limited impact and the nature of the disclosed information, the vulnerability may have minimal direct effect on compliance with standards like GDPR or HIPAA, which focus on protecting personal and sensitive data.

Nonetheless, any information disclosure could be considered a risk under such regulations, so addressing the vulnerability by updating to version 3.6.10 is recommended to maintain compliance.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the WeGIA application to version 3.6.10 or later, where the issue has been fixed.

Until the upgrade can be performed, consider restricting access to the file upload functionality to trusted users only, and monitor upload attempts for suspicious activity.

Additionally, review and harden error handling to avoid disclosing sensitive technical information in error messages.

Useful 0 Not Useful 0