CVE-2026-42873
Information Disclosure in WeGIA File Upload
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.6.10 (exc) |
| labredescefetrj | wegia | to 3.6.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42873 affects WeGIA, a web manager for charitable institutions, specifically versions 3.6.9 and earlier. The vulnerability occurs in the file upload functionality at funcionario/docdependente_upload.php. When a user attempts to upload a malicious file, the application responds with overly detailed error messages that disclose sensitive technical information.
This information leakage can reveal details such as permitted file extensions, buffer sizes, or image processing libraries, which attackers could use to refine their exploits. The vulnerability is due to improper error handling and is fixed in version 3.6.10.
How can this vulnerability impact me? :
The vulnerability leads to information disclosure by providing overly descriptive error messages when malicious files are uploaded. This increases the attack surface by giving potential attackers technical insights that can help them craft more effective attacks.
However, the overall impact is limited as the CVSS v3 base score is low (0.0 to 3.1), indicating it does not directly affect confidentiality, integrity, or availability. The attack requires low privileges and no user interaction, but the scope remains unchanged.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to upload a malicious file to the endpoint funcionario/docdependente_upload.php on the WeGIA web manager application. If the application returns overly descriptive error messages revealing technical details such as permitted file extensions, buffer sizes, or image processing libraries, it indicates the presence of the vulnerability.
A practical approach is to use tools like curl or wget to simulate a file upload with crafted malicious content and observe the error response.
- Example curl command to test the upload endpoint: curl -X POST -F "file=@malicious_file.txt" https://your-wegia-domain/WeGIA/html/funcionario/docdependente_upload.php -v
- Check the response for overly detailed error messages that disclose internal system information.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the WeGIA application to version 3.6.10 or later, where the issue has been fixed.
Until the upgrade can be performed, consider restricting access to the file upload functionality to trusted users only, and monitor upload attempts for suspicious activity.
Additionally, review and harden error handling to avoid disclosing sensitive technical information in error messages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes information disclosure through overly descriptive error messages during file uploads, which could potentially expose technical details to attackers.
However, the CVSS score and description indicate that it does not directly affect confidentiality, integrity, or availability of sensitive data.
Given this limited impact and the nature of the disclosed information, the vulnerability may have minimal direct effect on compliance with standards like GDPR or HIPAA, which focus on protecting personal and sensitive data.
Nonetheless, any information disclosure could be considered a risk under such regulations, so addressing the vulnerability by updating to version 3.6.10 is recommended to maintain compliance.