Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IsaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect enabling phishing and credential theft
Action: Patch
AI Analysis

Impact

An unvalidated redirection parameter allows attackers to force users of the WeGIA application to arbitrary external sites. The flaw exists in the /WeGIA/controle/control.php endpoint when method=listarId and nomeClasse=IsaidaControle are used together with the nextPage parameter. Leveraging this, adversaries can deliver phishing pages, malware, or other social engineering content under the guise of the trusted WeGIA domain. The weakness maps to CWE‑601, indicating a missing validation of user-supplied URLs.

Affected Systems

The vulnerability affects the WeGIA web manager produced by LabRedesCefetRJ. All releases prior to version 3.6.9 are impacted. The issue was fixed in the 3.6.9 build, so versions 3.6.9 and later are not vulnerable.

Risk and Exploitability

The CVSS score of 5.1 classifies the flaw as moderate severity, and the EPSS score of less than 1% suggests a low likelihood of current exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be web-based, requiring the attacker to entice or trick a user into clicking a crafted link pointing to the vulnerable endpoint. Once redirected, the user could be exposed to phishing or malware.

Generated by OpenCVE AI on April 9, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.9 or later
  • If an upgrade is delayed, avoid exposing the nextPage parameter to untrusted inputs or enforce strict URL validation in your deployment

Generated by OpenCVE AI on April 9, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IsaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Title WeGIA - Open Redirect - IsaidaControle - listarId() - Unvalidated $_GET['nextPage']
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:18:28.883Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35396

cve-icon Vulnrichment

Updated: 2026-04-07T16:18:25.807Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T21:16:21.600

Modified: 2026-04-09T17:40:03.920

Link: CVE-2026-35396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:44:59Z

Weaknesses