CVE-2026-31894

WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50	Patch
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55	Exploit Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 20:16

Updated : 2026-03-13 20:22

NVD link : CVE-2026-31894

Mitre link : CVE-2026-31894

CVE.ORG link : CVE-2026-31894

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2026-31894", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-11T20:16:15.460", "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones ben\u00e9ficas. En 3.6.5, la funci\u00f3n `loadBackupDB()` parcheada extrae archivos tar.gz a un directorio temporal utilizando la clase `PharData` de PHP, luego usa `glob()` y `file_get_contents()` para leer archivos SQL del contenido extra\u00eddo. Ni la extracci\u00f3n ni la lectura de archivos validan si los miembros del archivo son enlaces simb\u00f3licos. Esta vulnerabilidad est\u00e1 corregida en 3.6.6."}], "lastModified": "2026-03-13T20:22:24.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45337EFE-D771-4223-BE77-E226D1D72FBF"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}