CVE-2026-45027 LabRedesCefetRJ CVE debrief

Who should care

Organizations operating WeGIA for charitable institution management; security teams responsible for PHP application hardening; compliance auditors evaluating password-storage controls against OWASP or NIST guidelines.

Technical summary

The WeGIA web application hashes passwords using PHP's hash() function with SHA-256 and no salt during login (html/login.php) and password changes (controle/FuncionarioControle.php). SHA-256's speed and lack of memory-hard properties make it vulnerable to brute-force and precomputed hash attacks. The absence of a salt allows attackers to use a single rainbow table to recover passwords that share the same hash across the entire user base. Version 3.7.3 remediates this weakness.

Defensive priority

medium

Recommended defensive actions

• Upgrade WeGIA to version 3.7.3 or later to obtain the corrected password-hashing implementation.
• Audit stored password hashes for evidence of compromise; force password resets for affected accounts if unauthorized access is suspected.
• Verify that any custom authentication modules do not replicate the unsalted SHA-256 pattern.
• Review application logs for anomalous authentication patterns that may indicate credential-based attacks.

Evidence notes

Official GitHub Security Advisory GHSA-hcgv-vmq6-j6qg confirms the hashing implementation in html/login.php and controle/FuncionarioControle.php, the absence of salt, and the fix in 3.7.3.

Official resources