Description
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Published: 2026-01-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect that can be used for phishing and credential theft
Action: Patch
AI Analysis

Impact

WeGIA, a web manager for charitable institutions, contains an open redirect flaw in its control.php endpoint. By omitting validation on the nextPage query parameter when used with metodo=listarTodos and nomeClasse=DestinoControle, an attacker can redirect users to arbitrary external sites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering that exploit the trusted WeGIA domain. The weakness is classified as CWE‑601, and the CVSS score of 4.8 indicates a medium impact.

Affected Systems

The flaw affects installations of WeGIA published by LabRedesCefetRJ, specifically versions up to and including 3.6.1. The latest release, 3.6.2, incorporates input validation that removes the vulnerability. Any deployment of WeGIA that has not been updated to 3.6.2 remains vulnerable.

Risk and Exploitability

With a CVSS score of 4.8, the issue is considered medium severity. The EPSS score of less than 1 percent suggests exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be the crafting of a malicious URL containing a nextPage value that points to an external host; the attacker then lures a user into visiting that URL. No special privileges or code execution are required, making the exploitation path low effort for an adversary while the trusted domain increases attack success probability.

Generated by OpenCVE AI on April 18, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.2 or later to eliminate the open redirect flaw
  • Deploy a web application firewall or URL filter that blocks or logs unexpected nextPage query strings
  • Educate users to verify the destination URL before clicking links originating from the WeGIA domain

Generated by OpenCVE AI on April 18, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
Vendors & Products Wegia
Wegia wegia

Fri, 16 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Title WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=DestinoControle)
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:04:41.135Z

Reserved: 2026-01-15T15:45:01.956Z

Link: CVE-2026-23728

cve-icon Vulnrichment

Updated: 2026-01-16T21:04:38.049Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:50.890

Modified: 2026-01-30T18:29:58.017

Link: CVE-2026-23728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses