CVE-2026-28408

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.5

Description WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the adicionar tipo docs atendido.php script does not utilize the project’s central controller and lacks appropriate authentication and permission checks. This allows a malicious user to access features intended for employees by making requests through tools like Postman or directly via the file’s URL. The issue enables external parties to inject unauthorized data into the application server’s storage. The adicionar tipo docs atendido.php script is directly accessible, bypassing normal security measures.

Recommendations Versions prior to 3.6.5: Update to version 3.6.5 or later to resolve the authentication bypass and data injection issue.