{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33135", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.928Z", "datePublished": "2026-03-20T10:38:44.065Z", "dateUpdated": "2026-03-20T13:44:02.877Z"}, "containers": {"cna": {"title": "WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:38:44.065Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7."}], "source": {"advisory": "GHSA-w5rv-5884-w94v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:43:59.114929Z", "id": "CVE-2026-33135", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:44:02.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33135", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:43:59.114929Z"}}}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:43:52.010Z"}}], "cna": {"title": "WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter", "source": {"advisory": "GHSA-w5rv-5884-w94v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": "< 3.6.7"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "name": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:38:44.065Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33135", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:44:02.877Z", "dateReserved": "2026-03-17T20:35:49.928Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:38:44.065Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7."}], "id": "CVE-2026-33135", "lastModified": "2026-03-20T14:16:15.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T11:18:03.360", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459"}, {"source": "security-advisories@github.com", "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T12:20:59.548466+00:00", "value": {"mitigation_remediation": ["Upgrade WeGIA to version 3.6.7 or newer", "Verify the upgrade by testing the novo_memorandoo.php endpoint and ensuring no reflected XSS is possible"], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is WeGIA from LabRedesCefetRJ. Versions 3.6.6 and earlier are vulnerable; the issue is resolved in version 3.6.7. No other products or vendors are listed.", "description_and_impact": "WeGIA, a web manager for charitable institutions, contains a Reflected Cross\u2011Site Scripting (XSS) flaw in its novo_memorandoo.php endpoint. The vulnerability is caused by directly echoing the GET parameter \"sccs\" into an HTML alert without any sanitization or encoding. An attacker who can lure a user to a crafted URL can inject arbitrary JavaScript that will execute in the victim\u2019s browser, potentially enabling session hijacking, defacement, or data theft. This is a classic example of CWE\u201179, where reflected input is inadequately handled.", "risk_and_exploitability": "The CVSS score for this flaw is 9.3, indicating critical severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network via the HTTP GET parameter, as the vulnerability is triggered when a user navigates to a URL containing the malicious \"sccs\" value. Exploitation requires the target user\u2019s browser to render the crafted page, making social engineering or phishing a likely delivery method."}}}}, "created": "2026-03-20T14:13:40.235194+00:00", "updated": "2026-03-20T14:13:40.235226+00:00", "vendors": []}