CVE-2026-28411
Published: 27 February 2026
Summary
CVE-2026-28411 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the unsafe extract() on $_REQUEST by requiring validation of untrusted HTTP inputs to prevent local variable overwrites and authentication bypass.
Ensures timely patching of the specific flaw in WeGIA versions prior to 3.6.5, directly addressing the CVE as confirmed by the vendor fix.
Enforces logical access controls to protected areas, limiting unauthorized access even if authentication variables are overwritten by malicious requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-28411 enables unauthenticated remote exploitation of a public-facing web application via crafted HTTP requests, directly bypassing authentication to access protected administrative interfaces.
NVD Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged…
more
to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.
Deeper analysisAI
CVE-2026-28411 is a critical vulnerability in WeGIA, a web manager application for charitable institutions, affecting versions prior to 3.6.5. It arises from an unsafe use of the PHP `extract()` function on the `$_REQUEST` superglobal across multiple scripts, enabling attackers to overwrite local variables. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-473 (PHP External Variable Modification).
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction or privileges needed. By sending crafted HTTP requests that populate `$_REQUEST` with malicious parameter values, the attacker overwrites key local variables, completely bypassing authentication mechanisms and gaining unauthorized access to administrative interfaces and other protected areas of the WeGIA application.
The GitHub security advisory (GHSA-g7r9-hxc8-8vh7) at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7 documents the flaw, confirming that upgrading to WeGIA version 3.6.5 addresses the issue by fixing the improper `extract()` usage.
Details
- CWE(s)