CVE-2026-28411

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.5

Description WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the extract() function on the $ REQUEST superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This can bypass authentication checks, allowing unauthorized access to administrative and protected areas of the WeGIA application. The extract() function is a PHP function that converts variables from an array to individual variables. The $ REQUEST superglobal contains data from GET, POST, and COOKIE requests.

Recommendations Update WeGIA to version 3.6.5.