VYPR
Medium severity5.9NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45027

CVE-2026-45027

Description

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Wegia/Wegiainferred2 versions
    <3.7.3+ 1 more
    • (no CPE)range: <3.7.3
    • (no CPE)range: <3.7.3

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.