CVE-2026-28411
Published: 27 February 2026
Summary
CVE-2026-28411 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28411 is a critical vulnerability in WeGIA, a web manager application for charitable institutions, affecting versions prior to 3.6.5. It arises from an unsafe use of the PHP `extract()` function on the `$_REQUEST` superglobal across multiple scripts, enabling attackers to overwrite local variables. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-473 (PHP External Variable Modification).
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction or privileges needed. By sending crafted HTTP requests that populate `$_REQUEST` with malicious parameter values, the attacker overwrites key local variables, completely bypassing authentication mechanisms and gaining unauthorized access to administrative interfaces and other protected areas of the WeGIA application.
The GitHub security advisory (GHSA-g7r9-hxc8-8vh7) at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7 documents the flaw, confirming that upgrading to WeGIA version 3.6.5 addresses the issue by fixing the improper `extract()` usage.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9081
Vulnerability details
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged…
more
to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-28411 enables unauthenticated remote exploitation of a public-facing web application via crafted HTTP requests, directly bypassing authentication to access protected administrative interfaces.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the unsafe extract() on $_REQUEST by requiring validation of untrusted HTTP inputs to prevent local variable overwrites and authentication bypass.
Ensures timely patching of the specific flaw in WeGIA versions prior to 3.6.5, directly addressing the CVE as confirmed by the vendor fix.
Enforces logical access controls to protected areas, limiting unauthorized access even if authentication variables are overwritten by malicious requests.