CVE-2026-42871 Overview
CVE-2026-42871 is an information disclosure vulnerability in WeGIA, an open-source web manager used by charitable institutions. The flaw resides in atendido/familiar_docfamiliar.php, which returns overly descriptive error messages containing database-related details. Versions prior to 3.7.0 expose backend infrastructure details to unauthenticated remote attackers. The issue is classified under [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor]. WeGIA maintainers fixed the vulnerability in release 3.7.0.
Critical Impact
Unauthenticated remote attackers can collect database error details to map the backend, enabling follow-on attacks such as SQL injection or targeted exploitation.
Affected Products
- WeGIA web manager versions prior to 3.7.0
- atendido/familiar_docfamiliar.php endpoint
- Deployments maintained by LabRedesCefetRJ
Discovery Timeline
- 2026-05-11 - CVE-2026-42871 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42871
Vulnerability Analysis
The vulnerability exists in the atendido/familiar_docfamiliar.php script of WeGIA. When the application encounters runtime errors, it returns verbose messages that include database-related diagnostic information. These messages can contain query fragments, table or column references, driver details, and stack context. Attackers can trigger errors using crafted parameters and read the response to learn about the backend.
This category of weakness is tracked as [CWE-200]. Information disclosure flaws rarely cause direct compromise on their own. They accelerate reconnaissance and reduce the effort required for chained attacks such as SQL injection, authentication bypass, or privilege escalation against the same component.
The attack vector is network-based and requires no authentication or user interaction. An attacker only needs HTTP access to the affected endpoint. The EPSS probability of exploitation is 0.055%, reflecting limited current exploitation interest, but the low barrier to abuse makes opportunistic scanning likely.
Root Cause
The root cause is improper handling of exceptions and database errors inside familiar_docfamiliar.php. The script propagates raw error output to the HTTP response rather than logging the detail server-side and returning a generic message to the client. PHP applications commonly exhibit this behavior when display_errors remains enabled or when database driver exceptions are echoed without sanitization.
Attack Vector
An attacker sends HTTP requests to the affected endpoint with malformed or unexpected parameter values. The server responds with detailed error output containing database context. The attacker harvests these messages to enumerate schema elements, identify the database engine, and plan subsequent attacks. No credentials or interactive session are required.
No public proof-of-concept exploit is currently published. Refer to the GitHub Security Advisory GHSA-xpvm-3f74-qvp2 for vendor technical details.
Detection Methods for CVE-2026-42871
Indicators of Compromise
- HTTP responses from atendido/familiar_docfamiliar.php containing SQL syntax errors, driver names, or table identifiers
- Repeated 200 or 500 responses from the same source IP targeting the affected endpoint with anomalous parameters
- Web server logs showing parameter fuzzing patterns against WeGIA URLs
Detection Strategies
- Inspect outbound HTTP response bodies for database error signatures such as SQLSTATE, mysqli, or PDOException
- Deploy web application firewall rules that flag database error strings leaving the application
- Review WeGIA access logs for high-frequency requests to familiar_docfamiliar.php with varied query strings
Monitoring Recommendations
- Aggregate WeGIA HTTP logs in a centralized analytics platform and alert on error response spikes
- Track per-source request rates against the atendido/ path to detect reconnaissance
- Correlate error disclosure events with subsequent injection attempts targeting the same host
How to Mitigate CVE-2026-42871
Immediate Actions Required
- Upgrade WeGIA to version 3.7.0 or later, which contains the official fix
- Disable verbose PHP error output in production by setting display_errors = Off
- Restrict external access to the WeGIA application until the patch is applied
Patch Information
The maintainers fixed CVE-2026-42871 in WeGIA release 3.7.0. The fix replaces the verbose error response in atendido/familiar_docfamiliar.php with a generic message and routes diagnostic detail to server-side logs. Review the GitHub Security Advisory GHSA-xpvm-3f74-qvp2 for full remediation details.
Workarounds
- Configure PHP to suppress error output to clients while retaining server-side logging
- Place a reverse proxy or WAF in front of WeGIA to strip database error patterns from responses
- Block direct internet exposure of the atendido/ directory through network ACLs
# Configuration example: disable verbose PHP errors in production
# /etc/php/8.x/fpm/php.ini
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /var/log/php/error.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
