Description
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Published: 2026-01-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect enabling phishing and credential theft
Action: Patch
AI Analysis

Impact

This vulnerability allows an attacker to craft a request to the control.php endpoint with the nextPage parameter set to an arbitrary URL when the method and class parameters are set to specific values. The application does not validate or restrict this parameter, so a user who follows the link will be redirected to an external domain controlled by the attacker. This can be abused to trick users into entering their credentials on a fake login page or to download malware. The exploit does not require local system access or privileged credentials; it relies only on manipulating a normal HTTP request.

Affected Systems

The affected product is the WeGIA web manager for charitable institutions, produced by LabRedesCefetRJ. Versions earlier than 3.6.2 are vulnerable, as the fix that validates the nextPage parameter was delivered in release 3.6.2.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity. The EPSS score is below 1%, implying a low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be a remote HTTP request to the control.php endpoint, requiring no special environment; the attacker can leverage the trusted WeGIA domain to conduct phishing campaigns.

Generated by OpenCVE AI on April 18, 2026 at 05:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 3.6.2 update or any later release that contains the nextPage validation fix
  • If an update is not yet possible, enforce input validation to allow redirects only to trusted internal URLs or reject all values of nextPage
  • Monitor redirect-related traffic for unexpected external destinations and investigate anomalous requests

Generated by OpenCVE AI on April 18, 2026 at 05:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
Vendors & Products Wegia
Wegia wegia

Fri, 16 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Title WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=TipoSaidaControle)
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T19:49:16.754Z

Reserved: 2026-01-15T15:45:01.956Z

Link: CVE-2026-23727

cve-icon Vulnrichment

Updated: 2026-01-16T19:49:09.242Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:50.740

Modified: 2026-01-30T18:29:51.847

Link: CVE-2026-23727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses