{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31894", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.688Z", "datePublished": "2026-03-11T19:05:51.687Z", "dateUpdated": "2026-03-12T20:03:42.724Z"}, "containers": {"cna": {"title": "WeGIA affected by arbitrary file read via symlink in backup restore", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": ">= 3.6.5, < 3.6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:05:51.687Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6."}], "source": {"advisory": "GHSA-6mmm-27h8-8g55", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:03:36.257743Z", "id": "CVE-2026-31894", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:03:42.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31894", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T20:03:36.257743Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:03:39.738Z"}}], "cna": {"title": "WeGIA affected by arbitrary file read via symlink in backup restore", "source": {"advisory": "GHSA-6mmm-27h8-8g55", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": ">= 3.6.5, < 3.6.6"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50", "name": "https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:05:51.687Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31894", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:03:42.724Z", "dateReserved": "2026-03-09T21:59:02.688Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:05:51.687Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "45337EFE-D771-4223-BE77-E226D1D72FBF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones ben\u00e9ficas. En 3.6.5, la funci\u00f3n `loadBackupDB()` parcheada extrae archivos tar.gz a un directorio temporal utilizando la clase `PharData` de PHP, luego usa `glob()` y `file_get_contents()` para leer archivos SQL del contenido extra\u00eddo. Ni la extracci\u00f3n ni la lectura de archivos validan si los miembros del archivo son enlaces simb\u00f3licos. Esta vulnerabilidad est\u00e1 corregida en 3.6.6."}], "id": "CVE-2026-31894", "lastModified": "2026-03-13T20:22:24.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T20:16:15.460", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.6.5,3.6.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeGIA", "source": "cna", "vendor": "LabRedesCefetRJ"}, "product": "wegia", "vendor": "labredescefetrj"}], "analysis": {"en": {"generated_at": "2026-03-17T15:48:49.359396+00:00", "value": {"mitigation_remediation": ["Upgrade WeGIA to version\u202f3.6.6 or later, where the extraction and file reading steps validate against symbolic links.", "If immediate upgrade is not possible, restrict the backup restore feature to trusted administrators only and monitor for anomalous uploads.", "Consider temporarily disabling the backup restore functionality until a patch is applied.", "Review upload permissions and file system paths to ensure no unintended access to sensitive directories."], "summary": {"action": "Apply Update", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The affected product is WeGIA Web Manager from LabRedesCefetRJ, specifically version\u202f3.6.5. The cpe identified is cpe:2.3:a:wegia:wegia:3.6.5:*:*:*:*:*:*:*.", "description_and_impact": "WeGIA's backup restore function in version\u202f3.6.5 uses PHP's PharData class to extract tar.gz archives and then reads SQL files with file_get_contents() after a glob(). The implementation does not verify whether extracted archive members are symbolic links. An attacker can upload a crafted archive containing symlinks that point to sensitive files on the server, leading to arbitrary file reads and confidentiality compromise. This vulnerability is identified as CWE\u201159 (OS Command Injection/Path Traversal).", "risk_and_exploitability": "The CVSS score is 6.9, indicating moderate severity. The EPSS score is <1%, suggesting low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. The attack requires the ability to upload a backup archive and trigger its restoration, which typically implies local or administrative access to the server. Once the condition is met, the attacker can read arbitrary files exposed to the PHP process. Overall, the risk is moderate and primarily relevant to systems that allow untrusted users to upload or restore backups without validation."}}}}, "created": "2026-03-12T09:56:49.542883+00:00", "updated": "2026-03-20T15:29:24.336943+00:00", "vendors": ["labredescefetrj", "labredescefetrj$PRODUCT$wegia"]}