Description
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Published: 2026-01-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Apply Patch
AI Analysis

Impact

An attacker can manipulate the nextPage parameter on the WeGIA control.php endpoint, causing the application to redirect users to arbitrary external sites. This unvalidated redirection can be leveraged for phishing, credential theft, malware delivery, and other social engineering attacks that benefit from the trust users place in the WeGIA domain.

Affected Systems

The vulnerability exists in the WeGIA web manager produced by LabRedesCefetRJ. Versions prior to 3.6.2 of the WeGIA application are affected, regardless of minor sub-releases. The flaw is present in the /Controle/control.php resource when the query string includes metodo=listarDescricao and nomeClasse=ProdutoControle.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.8, indicating moderate impact severity. EPSS analysis shows a very low exploitation probability (<1%). It is not listed in the CISA KEV catalog. Attackers do not need any authentication to trigger the redirect; a crafted HTTP request to the vulnerable endpoint suffices. Given the nature of the flaw, exploitation is straightforward but the overall risk is moderated by the low predicted attack frequency.

Generated by OpenCVE AI on April 18, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WeGIA version 3.6.2 or later, which implements proper validation of the nextPage parameter.
  • If immediate upgrade is not possible, apply a temporary filter at the web server or application firewall level to restrict the nextPage value to internal paths or refuse external URLs.
  • Continuously monitor user activity for anomalous redirects and implement organization-wide phishing awareness training to reduce successful social engineering attempts.

Generated by OpenCVE AI on April 18, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
Vendors & Products Wegia
Wegia wegia

Fri, 16 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
Title WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarDescricao, nomeClasse=ProdutoControle)
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:02:05.778Z

Reserved: 2026-01-15T15:45:01.956Z

Link: CVE-2026-23729

cve-icon Vulnrichment

Updated: 2026-01-16T21:01:17.102Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:51.047

Modified: 2026-01-30T18:30:09.277

Link: CVE-2026-23729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses