CVE-2026-28409 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: March 3, 2026
WeGIA - Remote Code Execution
Overview
WeGIA < 3.6.5 contains a remote code execution caused by improper validation of backup file names in the database restoration functionality, letting attackers with administrative access execute arbitrary OS commands.
Severity & Score
Impact
Attackers with admin access can execute arbitrary OS commands, potentially leading to full server compromise.
Mitigation
Upgrade to version 3.6.5 or later.
Social Media Activity(2 posts)
š“ CVE-2026-28409 - Critical (10) WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which ca... š https://www.thehackerwire.com/vulnerability/CVE-2026-28409/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
šØ CVE-2026-28409: WeGIA <3.6.5 has a CRITICAL OS command injection flaw (CVSS 10). RCE possible via crafted backup filenames + admin access (can be gained with auth bypass). Upgrade to 3.6.5 ASAP! https://radar.offseq.com/threat/cve-2026-28409-cwe-78-improper-neutralization-of-s-258821fc #OffSeq #infosec #CVE202628409 #RCE
View original postRelated Resources
Details
- CVE ID
- CVE-2026-28409
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- command_injection
- Status
- confirmed
- EPSS
- 21.5%
- Social Posts
- 2
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H