CVE-2026-45027
Deferred Deferred - Pending Action
Weak SHA-256 Password Hashing in WeGIA

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45027
EUVD
EUVD-2026-32565
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wegia wegia to 3.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
CWE-759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in WeGIA versions prior to 3.7.3 where the application hashes user passwords using PHP's hash() function with the SHA-256 algorithm without applying a salt. This means that when a user logs in or changes their password, the password is hashed in a way that is fast but not secure for password storage.

Because no salt is used, identical passwords produce identical hash digests. This makes the stored password hashes vulnerable to attacks using precomputed rainbow tables, which can quickly reveal the original passwords from their hashes.

This vulnerability was fixed in version 3.7.3 of WeGIA.

Impact Analysis

This vulnerability can lead to the compromise of user passwords stored in the system. Because the password hashes are generated without a salt and using a fast hashing algorithm, attackers can use precomputed rainbow tables to reverse the hashes and obtain the original passwords.

If an attacker gains access to the password hash database, they can potentially recover many user passwords, leading to unauthorized access to user accounts and sensitive information.

Mitigation Strategies

To mitigate this vulnerability, upgrade WeGIA to version 3.7.3 or later, where the issue with unsalted SHA-256 password hashing is fixed.

Compliance Impact

The vulnerability involves storing passwords as unsalted SHA-256 hashes, which allows attackers to recover plaintext passwords offline with minimal effort. This weak password hashing practice increases the risk of unauthorized access to user data.

Such a weakness can lead to non-compliance with common security standards and regulations like GDPR and HIPAA, which require adequate protection of personal and sensitive data, including strong password storage mechanisms to prevent data breaches.

Failure to properly secure passwords may result in violations of confidentiality requirements, potentially leading to legal and regulatory consequences.

Detection Guidance

This vulnerability can be detected by inspecting the password storage mechanism in the WeGIA application database, specifically the `pessoa` table, to check if passwords are stored as unsalted SHA-256 hashes.

Additionally, reviewing the source code files `html/login.php` and `controle/FuncionarioControle.php` for the use of PHP's hash() function with SHA-256 and no salt during password hashing can confirm the presence of the vulnerability.

To detect the vulnerability on your system, you can run SQL queries to extract password hashes from the `pessoa` table and analyze their format and hashing method.

  • Example SQL command to extract password hashes: SELECT password_column FROM pessoa;
  • Check the application source code for hashing calls, e.g., grep -r "hash('sha256'" ./html/login.php ./controle/FuncionarioControle.php

Note that the proof of concept uses MariaDB's XPATH truncation behavior to extract full SHA-256 hashes, which may require specialized queries or scripts to detect.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart