CVE-2026-28411 CRITICAL

CVE-2026-28411: WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)`

Vendor Labredescefetrj
Product WeGIA
Weakness CWE-288
Published February 27, 2026
Last update March 2, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. Version 3.6.5 fixes the issue.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 2, 2026 Record updated