CVE-2026-31894

CVE-2026-31894 is a file access vulnerability (CWE-59: Improper Link Resolution Before File Access) affecting WeGIA version 3.6.5, an open-source web manager for charitable institutions. The issue resides in the loadBackupDB() function, which processes uploaded tar.gz backup archives by extracting them to a temporary directory using PHP's PharData class. It then employs glob() and file_get_contents() to read SQL files from the extracted contents. Critically, neither the extraction process nor the file reading operations validate whether archive members are symbolic links, enabling potential symlink following to unintended files. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-11.

An unauthenticated remote attacker can exploit this vulnerability by supplying a malicious tar.gz archive via the backup restoration feature. During extraction, symlinks within the archive can point to arbitrary files on the server, such as sensitive configuration files or database contents. When the application subsequently reads files matching the glob pattern, it follows these symlinks, resulting in unauthorized disclosure of the targeted files' contents to the attacker. This achieves high confidentiality impact without requiring privileges, user interaction, or altering system integrity or availability.

The WeGIA GitHub security advisory (GHSA-6mmm-27h8-8g55) and the fixing commit (79e7a164eddb527e3b331037b7a4defb8c115d50) confirm the issue was resolved in version 3.6.6. Practitioners should advise upgrading to 3.6.6 or later, where proper symlink validation is implemented during extraction and file handling. No additional workarounds are detailed in the provided references.