Skip to main content

WeGIA CVE-2026-45027

| EUVDEUVD-2026-32565 MEDIUM
Use of a One-Way Hash without a Salt (CWE-759)
2026-05-27 security-advisories@github.com
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:08 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3.

AnalysisAI

Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.

Technical ContextAI

WeGIA is a PHP-based web management platform for charitable institutions. CWE-759 (Use of a One-Way Hash without a Salt) describes the root cause precisely: the application calls PHP's generic hash('sha256', $password) rather than the purpose-built password_hash() function, which defaults to bcrypt and automatically generates a cryptographically random per-user salt. SHA-256 is optimized for speed - it can be computed billions of times per second on commodity GPUs - making it entirely unsuitable for password storage. Without a salt, two users sharing the same password share the same digest, and an attacker can precompute a lookup table mapping common SHA-256 digests back to plaintext once and apply it to every account in the database simultaneously. No CPE strings were provided in the source data; affected versions are identified as WeGIA < 3.7.3 per EUVD-2026-32565.

RemediationAI

The vendor-released patch is WeGIA 3.7.3, which resolves the unsalted hashing in both html/login.php and controle/FuncionarioControle.php. Upgrade instructions and the full advisory are available at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hcgv-vmq6-j6qg. After upgrading, administrators should force a global password reset so that all existing unsalted SHA-256 digests stored in the database are invalidated and replaced with properly salted hashes under the new scheme - failing to do so leaves previously stored hashes exploitable if the database was ever exfiltrated. If immediate upgrade is not possible, restrict database access to application-layer processes only, disable external database exposure, and audit access logs for unauthorized database queries as a compensating control. Note that these controls reduce the attack surface for hash extraction but do not fix the underlying cryptographic weakness.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-45027 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy