CVE-2026-31894
WeGIA affected by arbitrary file read via symlink in backup restore
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.
| CWE | CWE-59 |
| Vendor | labredescefetrj |
| Product | wegia |
| Published | Mar 11, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for labredescefetrj wegia
Be the first to know when new unknown vulnerabilities affecting labredescefetrj wegia are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
LabRedesCefetRJ / WeGIA
>= 3.6.5, < 3.6.6