Cyber Resilience

CVE-2026-28409

CriticalPublic PoCRCE

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0331 87.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28409 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wegia Wegia. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28409 is a critical remote code execution (RCE) vulnerability with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting WeGIA, an open-source web manager for charitable institutions. The flaw, tied to CWE-78 (OS Command Injection), resides in the application's database restoration functionality prior to version 3.6.5. It allows attackers to execute arbitrary operating system commands on the server by uploading a backup file with a specially crafted filename.

An attacker requires administrative access to exploit this vulnerability, which can be obtained through a previously reported authentication bypass vulnerability. Once authenticated as an admin, the attacker can leverage the database restoration feature to inject and execute OS commands remotely over the network with low complexity and no user interaction required. Successful exploitation grants full control over the server, enabling high-impact confidentiality, integrity, and availability compromises due to the changed scope.

The GitHub Security Advisory (GHSA-5m5g-q2vv-rv3r) confirms that WeGIA version 3.6.5 addresses and fixes the issue. Security practitioners should immediately upgrade to version 3.6.5 or later and review access controls, particularly around administrative privileges and backup restoration features, while monitoring for related authentication bypass vulnerabilities.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported…

more

Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Critical RCE via OS command injection (CWE-78) in a public-facing web application's database restoration feature directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26613Same product: Wegia Wegia
CVE-2025-27140Same product: Wegia Wegia
CVE-2025-23219Same product: Wegia Wegia
CVE-2025-26608Same product: Wegia Wegia
CVE-2025-26609Same product: Wegia Wegia
CVE-2026-35395Same product: Wegia Wegia
CVE-2025-24906Same product: Wegia Wegia
CVE-2025-27096Same product: Wegia Wegia
CVE-2025-23220Same product: Wegia Wegia
CVE-2025-26612Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by validating and sanitizing the crafted filename input in the database restoration functionality.

prevent

Remediates the specific RCE flaw by identifying, patching to version 3.6.5, and deploying the fix promptly.

prevent

Enforces least privilege to restrict administrative access required to reach and exploit the database restoration feature.

References