Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3.
AnalysisAI
Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.
Technical ContextAI
WeGIA is a PHP-based web management platform for charitable institutions. CWE-759 (Use of a One-Way Hash without a Salt) describes the root cause precisely: the application calls PHP's generic hash('sha256', $password) rather than the purpose-built password_hash() function, which defaults to bcrypt and automatically generates a cryptographically random per-user salt. SHA-256 is optimized for speed - it can be computed billions of times per second on commodity GPUs - making it entirely unsuitable for password storage. Without a salt, two users sharing the same password share the same digest, and an attacker can precompute a lookup table mapping common SHA-256 digests back to plaintext once and apply it to every account in the database simultaneously. No CPE strings were provided in the source data; affected versions are identified as WeGIA < 3.7.3 per EUVD-2026-32565.
RemediationAI
The vendor-released patch is WeGIA 3.7.3, which resolves the unsalted hashing in both html/login.php and controle/FuncionarioControle.php. Upgrade instructions and the full advisory are available at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hcgv-vmq6-j6qg. After upgrading, administrators should force a global password reset so that all existing unsalted SHA-256 digests stored in the database are invalidated and replaced with properly salted hashes under the new scheme - failing to do so leaves previously stored hashes exploitable if the database was ever exfiltrated. If immediate upgrade is not possible, restrict database access to application-layer processes only, disable external database exposure, and audit access logs for unauthorized database queries as a compensating control. Note that these controls reduce the attack surface for hash extraction but do not fix the underlying cryptographic weakness.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-759 – Use of a One-Way Hash without a Salt
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32565