{"id":"CVE-2026-31894","summary":"WeGIA affected by arbitrary file read via symlink in backup restore","details":"WeGIA is a web manager for charitable institutions. In 3.6.5, The patched loadBackupDB() extracts tar.gz archives to a temporary directory using PHP's PharData class, then uses glob() and file_get_contents() to read SQL files from the extracted contents. Neither the extraction nor the file reading validates whether archive members are symbolic links. This vulnerability is fixed in 3.6.6.","aliases":["GHSA-6mmm-27h8-8g55"],"modified":"2026-04-02T13:24:07.128741Z","published":"2026-03-11T19:05:51.687Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31894.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-59"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31894.json"},{"type":"ADVISORY","url":"https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mmm-27h8-8g55"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31894"},{"type":"FIX","url":"https://github.com/LabRedesCefetRJ/WeGIA/commit/79e7a164eddb527e3b331037b7a4defb8c115d50"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/labredescefetrj/wegia","events":[{"introduced":"592a08154cf1268ea0344031618b03899168e6a0"},{"fixed":"4b6dd776cf21c20f1f06407331b8b11c8958b427"}]}],"versions":["3.6.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31894.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}