CVE-2026-28408CRITICAL 9.8EPSS p39.6%

CVE-2026-28408CVE-2026-28408

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.51% probability of exploitation · percentile 39.6% · 2026-06-19T12:03:05Z
Published2026-02-27
Last modified2026-03-03

Underlying weaknesses· 2

CWE-287CWE-862

References

  1. https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xq3w-xwxj-fg2q

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40285
CVE
CVE-2025-26608
CVE
CVE-2025-58453
CVE
CVE-2026-28411
CVE
CVE-2025-26606
CVE
CVE-2025-26607
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.