CVE-2026-31894

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.6

Description WeGIA is a web manager for charitable institutions. The loadBackupDB() function in version 3.6.5 extracts tar.gz archives to a temporary directory using PHP’s PharData class, then uses glob() and file get contents() to read SQL files from the extracted contents. The extraction and file reading processes do not validate whether archive members are symbolic links. This could allow for unauthorized file access or modification.

Recommendations Upgrade to WeGIA version 3.6.6 or later.