CVE-2026-31894 MEDIUM

CVE-2026-31894: WeGIA affected by arbitrary file read via symlink in backup restore

Vendor Labredescefetrj
Product WeGIA
Weakness CWE-59
Published March 11, 2026
Last update March 12, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 12, 2026 Record updated