CVE-2026-28409
Published: 27 February 2026
Summary
CVE-2026-28409 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wegia Wegia. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating and sanitizing the crafted filename input in the database restoration functionality.
Remediates the specific RCE flaw by identifying, patching to version 3.6.5, and deploying the fix promptly.
Enforces least privilege to restrict administrative access required to reach and exploit the database restoration feature.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Critical RCE via OS command injection (CWE-78) in a public-facing web application's database restoration feature directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary OS command execution (T1059).
NVD Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported…
more
Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.
Deeper analysisAI
CVE-2026-28409 is a critical remote code execution (RCE) vulnerability with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting WeGIA, an open-source web manager for charitable institutions. The flaw, tied to CWE-78 (OS Command Injection), resides in the application's database restoration functionality prior to version 3.6.5. It allows attackers to execute arbitrary operating system commands on the server by uploading a backup file with a specially crafted filename.
An attacker requires administrative access to exploit this vulnerability, which can be obtained through a previously reported authentication bypass vulnerability. Once authenticated as an admin, the attacker can leverage the database restoration feature to inject and execute OS commands remotely over the network with low complexity and no user interaction required. Successful exploitation grants full control over the server, enabling high-impact confidentiality, integrity, and availability compromises due to the changed scope.
The GitHub Security Advisory (GHSA-5m5g-q2vv-rv3r) confirms that WeGIA version 3.6.5 addresses and fixes the issue. Security practitioners should immediately upgrade to version 3.6.5 or later and review access controls, particularly around administrative privileges and backup restoration features, while monitoring for related authentication bypass vulnerabilities.
Details
- CWE(s)