CVE-2026-31894 is an improper link resolution vulnerability (CWE-59) found in WeGIA, a web management application used by charitable institutions. In version 3.6.5, the loadBackupDB() function extracts tar.gz archives using PHP's PharData class to a temporary directory. The extraction process does not validate whether archive members are symbolic links, allowing an attacker to craft malicious archives containing symlinks. After extraction, the application uses glob() and file_get_contents() to read SQL files from the extracted contents, again without verifying if these files are symlinks. This improper handling can lead to directory traversal or arbitrary file read/write operations, potentially allowing an attacker with access to the backup process to overwrite or read sensitive files outside the intended directory. The vulnerability requires the attacker to have high privileges on the system (as indicated by the CVSS vector) but does not require user interaction or authentication. The flaw is addressed in WeGIA version 3.6.6 by adding validation to prevent symbolic link exploitation during archive extraction and file reading. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk due to the sensitive nature of the data managed by WeGIA and the potential for privilege escalation or data compromise.

The vulnerability could allow an attacker with sufficient privileges to manipulate backup archives to include symbolic links that point to arbitrary files on the server. When these archives are extracted and processed, the attacker could cause the application to overwrite critical files or read sensitive data outside the intended backup scope. This can lead to unauthorized disclosure of confidential information, data integrity violations, or denial of service if critical files are corrupted. Given that WeGIA is used by charitable institutions, the impact includes potential exposure of donor information, financial data, and operational details. The requirement for high privileges limits exploitation to insiders or attackers who have already compromised privileged accounts, but the lack of user interaction or authentication requirements means exploitation can be automated once access is obtained. The medium CVSS score (6.9) reflects the moderate ease of exploitation combined with significant impact on confidentiality and integrity.

Organizations should upgrade WeGIA to version 3.6.6 or later, where the vulnerability is patched. Until the upgrade is applied, administrators should restrict access to the backup and restore functions to trusted users only, minimizing the risk of malicious archive uploads. Implement file system monitoring to detect unexpected symbolic links or changes in backup directories. Additionally, consider sandboxing the extraction process or using alternative extraction methods that validate symbolic links and prevent directory traversal. Regularly audit backup files for integrity and unexpected content. Employ strict file permissions on temporary directories used during extraction to limit the impact of any exploitation. Finally, monitor logs for unusual activity related to backup operations that could indicate exploitation attempts.