CVE-2026-28409 CRITICAL

CVE-2026-28409: WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection

Vendor Labredescefetrj

Product WeGIA

Weakness CWE-78

Published February 27, 2026

Last update March 2, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

March 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28409 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-28409: WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE