PHP External Variable Modification in WeGIA - CVE-2026-28411
Published: April 23, 2026
Vulnerability identifier: #VU127324
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28411
CWE-ID: CWE-473
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication and gain unauthorized administrative access.
The vulnerability exists due to php external variable modification in multiple PHP scripts using extract($_REQUEST) when handling user-supplied request parameters. A remote attacker can send specially crafted GET or POST parameters to bypass authentication and gain unauthorized administrative access.
The issue affects the login handler and other protected endpoints where request parameters can overwrite local variables used in authentication or authorization logic.
How to mitigate CVE-2026-28411
Install security update from vendor's website.