216.73.216.102

CVE-2026-31894

· Published 11/03/2026 20:16 · Modified 12/03/2026 21:08

Labels: CVE-2026-31894 2026-03-11CVE-2026-31894CWE-59[email protected]

Essential information

Published
11/03/2026 20:16
Modified
12/03/2026 21:08
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wegia / wegia cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*
wegia / wegia cpe:2.3:a:wegia:wegia:3.6.6:*:*:*:*:*:*:*

References