CVE-2026-28409
published 2026-02-27CVE-2026-28409: WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA…
PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
3.31%
87.0th percentile
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| labredescefetrj | wegia | < 3.6.5 | 3.6.5 |
| wegia | wegia | < 3.6.5 | 3.6.5 |
Detection & IOCsextracted from sources · hover to see the quote
filenamedump;export F={{filename}};eval $(echo Y2F0IC9ldGMvcGFzc3dkID4gL3Zhci93d3cvaHRtbC9XZUdJQS8kRi50eHQ= | base64 -d);poc.dump.tar.gz↗
bytes↗
1f8b08000000000000030300000000000000000000
- →Look for multipart POST requests to /WeGIA/html/configuracao/importar_dump.php where the uploaded filename contains shell metacharacters (semicolons, pipe characters, base64-encoded payloads) indicative of command injection via crafted backup filename. ↗
- →Detect GET requests to gerenciar_backup.php with an action=restore parameter whose file= value contains URL-encoded shell metacharacters (%3B = ';', %7C = '|') and base64 strings, indicating RCE exploitation attempt. ↗
- →Monitor for the creation of unexpected .txt files under /var/www/html/WeGIA/ (e.g., <random>.txt) which are the exfiltration artifacts written by the injected command (cat /etc/passwd > /var/www/html/WeGIA/$F.txt). ↗
- →The exploit chain begins with an authentication bypass POST to /WeGIA/html/login.php using hardcoded parameters c=true&cpf=admin&id_pessoa=1 — alert on this specific login payload pattern. ↗
- →Regex match on HTTP response body for 'root:.*:0:0:' to confirm successful /etc/passwd exfiltration via the RCE payload. ↗
- ·The exploit requires administrative access, which can be chained from a prior authentication bypass vulnerability in WeGIA. The CVSS score of 10.0 with PR:N reflects the chained attack scenario, not standalone exploitation of this RCE. ↗
- ·The Nuclei template uses a randomized 8-character lowercase alpha filename variable ({{to_lower(rand_text_alpha(8))}}) as the exfiltration artifact name; detection rules based on static filenames will miss this. ↗
- ·Affected versions are WeGIA <= 3.6.4; version 3.6.5 patches the issue. Ensure version fingerprinting is used to scope detection to unpatched instances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
WeGIA <= 3.6.4 - Remote Code Execution
nuclei·CVSS 7.2
CVE-2026-28409 [HIGH] WeGIA <= 3.6.4 - Remote Code Execution
WeGIA <= 3.6.4 - Remote Code Execution
WeGIA <= 3.6.5 contains a remote code execution caused by improper validation of backup file names in the database restoration functionality, letting attackers with administrative access execute arbitrary OS commands
Template:
id: CVE-2026-28409
info:
name: WeGIA <= 3.6.4 - Remote Code Execution
author: 0x_Akoko
severity: critical
description: |
WeGIA <= 3.6.5 contains a remote code execution caused by improper validation of backup file names in the database restoration functionality, letting attackers with administrative access execute arbitrary OS commands
impact: |
Attackers with admin access can execute arbitrary OS commands, potentially leading to full server compromise.
remediation: |
Upgrade to version 3.6.5 or later.
reference:
- https://c
No writeups or analysis indexed.
2026-02-27
Published