Add CVE-2026-28409.yaml - WeGIA <= 3.6.4 - Remote Code Execution

[Akokonunes]

CVE-2026-28409 details added, highlighting a critical remote code execution vulnerability in WeGIA versions <= 3.6.4. The YAML file includes information on impact, remediation, and example HTTP requests.

PR Information

• Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
• References:

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

High: 1

Current PR state: 1 high active finding.

Highlights

• High: Incorrect CVSS metrics and misleading template tags for authenticated RCE vulnerability in http/cves/CVE-2026-28409.yaml:18

High (1)

• Incorrect CVSS metrics and misleading template tags for authenticated RCE vulnerability — http/cves/CVE-2026-28409.yaml:18
  The template metadata contains contradictory security classifications that will mislead security teams. Line 18 declares CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H with a 10.0 score, claiming no privileges are required (PR:N). However, CVE-2026-28409 is an authenticated RCE that requires administrative access - the official NVD assessment shows PR:H (high privileges required) with a 7.2 HIGH severity score. The template is also tagged with 'auth-bypass' and 'unauth' (line 29), but CVE-2026-28409 is NOT an authentication bypass vulnerability - that's CVE-2026-28408. This template actually demonstrates a two-CVE attack chain: step 1 (lines 38-58) exploits CVE-2026-28408 to bypass authentication, then steps 2-4 exploit CVE-2026-28409 for RCE. The CVSS vector PR:N with 10.0 score appears to represent the full chain's exploitability, not CVE-2026-28409 in isolation.

Hardening Notes

• Template title states 'WeGIA <= 3.6.4' but description and official CVE documentation indicate the vulnerability affects 'WeGIA <= 3.6.5' - this is a metadata consistency issue but not an exploitable vulnerability
• Template is tagged with 'auth-bypass' and 'unauth' while demonstrating an authenticated exploit flow. The CVE advisory mentions that admin access can be obtained via CVE-2026-28408 (separate auth bypass), which may justify these tags in a chained attack context

_{Comment @pdneo help for available commands. · Open in Neo}