Description
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Published: 2026-01-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Redirection to External Sites
Action: Immediate Patch
AI Analysis

Impact

An open redirect flaw exists in the /WeGIA/controle/control.php endpoint when the nextPage parameter is used together with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application accepts any value for nextPage without validation, causing the browser to navigate to an arbitrary external URL. This mechanism can be abused for phishing, credential theft, malware delivery, or other social‑engineering attacks that rely on the trusted appearance of the WeGIA domain.

Affected Systems

The WeGIA web manager provided by LabRedesCefetRJ is impacted in all releases prior to 3.6.2. Users who have not applied the 3.6.2 update retain the vulnerability.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while the EPSS value of less than 1% reflects a presently low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The most likely attack path involves an attacker crafting a malicious link that redirects a user through the vulnerable endpoint; any user who follows that link can be affected, so the threat is primarily user‑oriented and relies on social engineering.

Generated by OpenCVE AI on April 18, 2026 at 05:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.2 or later.
  • If upgrading is not immediately possible, restrict the nextPage parameter by applying a whitelist of approved redirect targets or removing the parameter entirely from control.php.
  • Monitor application logs for unexpected redirection activity and educate users about the risks of following unfamiliar links from the WeGIA domain.

Generated by OpenCVE AI on April 18, 2026 at 05:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
Vendors & Products Wegia
Wegia wegia

Fri, 16 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Title WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=TipoEntradaControle)
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:09:43.665Z

Reserved: 2026-01-15T15:45:01.956Z

Link: CVE-2026-23726

cve-icon Vulnrichment

Updated: 2026-01-16T21:09:39.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:50.597

Modified: 2026-01-30T18:29:14.007

Link: CVE-2026-23726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses