Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Mar 2, 2026
WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)`
CVE-2026-28411
Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the extract() function on the $_REQUEST superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.
Affected products
1- Range: < 3.6.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7r9-hxc8-8vh7mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.