Cyber Resilience

CVE-2026-28411

CriticalPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 43.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28411 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28411 is a critical vulnerability in WeGIA, a web manager application for charitable institutions, affecting versions prior to 3.6.5. It arises from an unsafe use of the PHP `extract()` function on the `$_REQUEST` superglobal across multiple scripts, enabling attackers to overwrite local variables. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-473 (PHP External Variable Modification).

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction or privileges needed. By sending crafted HTTP requests that populate `$_REQUEST` with malicious parameter values, the attacker overwrites key local variables, completely bypassing authentication mechanisms and gaining unauthorized access to administrative interfaces and other protected areas of the WeGIA application.

The GitHub security advisory (GHSA-g7r9-hxc8-8vh7) at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7 documents the flaw, confirming that upgrading to WeGIA version 3.6.5 addresses the issue by fixing the improper `extract()` usage.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged…

more

to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-28411 enables unauthenticated remote exploitation of a public-facing web application via crafted HTTP requests, directly bypassing authentication to access protected administrative interfaces.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24958Same product: Wegia Wegia
CVE-2025-24905Same product: Wegia Wegia
CVE-2025-26612Same product: Wegia Wegia
CVE-2025-24902Same product: Wegia Wegia
CVE-2025-24901Same product: Wegia Wegia
CVE-2025-27133Same product: Wegia Wegia
CVE-2025-53823Same product: Wegia Wegia
CVE-2025-23219Same product: Wegia Wegia
CVE-2025-26608Same product: Wegia Wegia
CVE-2025-26609Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the unsafe extract() on $_REQUEST by requiring validation of untrusted HTTP inputs to prevent local variable overwrites and authentication bypass.

preventrecover

Ensures timely patching of the specific flaw in WeGIA versions prior to 3.6.5, directly addressing the CVE as confirmed by the vendor fix.

prevent

Enforces logical access controls to protected areas, limiting unauthorized access even if authentication variables are overwritten by malicious requests.

References