Is Command Injection affected by CVE-2026-28409?

A critical remote code execution vulnerability (CVSS 10.0) affects WeGIA charitable institution management systems prior to version 3.6.5, allowing unauthenticated attackers to execute arbitrary code through the database restoration feature.

CVE-2026-28409

CRITICAL

2026-02-27 [email protected]

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 18:20 vuln.today

Public exploit code

CVE Published

Feb 27, 2026 - 22:16 nvd

CRITICAL 10.0

Description

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.

Analysis

Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. …

Remediation

Within 24 hours: Immediately disable or restrict access to WeGIA's database restoration functionality; isolate affected systems from production networks if running versions prior to 3.6.5; conduct urgent inventory of all WeGIA deployments and versions. Within 7 days: Monitor vendor communications for emergency patch release; implement network segmentation to limit lateral movement if compromise occurs; review access logs for exploitation attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +50

POC: +20

CVE-2026-28409 vulnerability details – vuln.today

Back

CVE-2026-28409

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28409

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code