Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos & listarId_Nome and nomeClasse=OrigemControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Upgrade
AI Analysis

Impact

WeGIA, a web manager for charitable institutions, contains an open redirect flaw in its control.php endpoint. The nextPage parameter is accepted without validation when metodo equals listarTodos or listarId_Nome and nomeClasse is OrigemControle. Attackers can supply any URL to the parameter, causing the application to redirect end users to that location. This flaw is a classic example of an unchecked redirect (CWE‑601) that can be leveraged for phishing, credential theft, malicious downloads or social engineering attacks under the guise of the legitimate WeGIA domain.

Affected Systems

The vulnerability affects the WeGIA application developed by LabRedesCefetRJ. Versions prior to 3.6.9 are vulnerable; version 3.6.9 and later contain the fix. No other versions are mentioned.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity. The likelihood of exploitation is not quantified in EPSS and the flaw is not listed in CISA’s KEV catalog. Exploitation requires only the ability to provide a malicious nextPage URL, which can be triggered by a user clicking a link or visiting a crafted page. Because the vulnerability does not require authentication or elevated privileges, it is considered easy to exploit in the wild and represents a realistic phishing vector for attackers.

Generated by OpenCVE AI on April 7, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.9 or later.
  • If upgrading is not possible, ensure that the nextPage parameter is validated or the redirect functionality is disabled for unauthenticated users.
  • Monitor outbound traffic for unexpected redirects originating from the control.php endpoint.
  • Educate users to recognize suspicious URLs and verify the legitimacy of links before clicking.

Generated by OpenCVE AI on April 7, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos & listarId_Nome and nomeClasse=OrigemControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Title WeGIA - Open Redirect - OrigemControle - listarTodos() & listarId_Nome() - Unvalidated $_GET['nextPage']
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:03:07.406Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35398

cve-icon Vulnrichment

Updated: 2026-04-08T13:59:43.506Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:21.740

Modified: 2026-04-08T14:16:28.540

Link: CVE-2026-35398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:04Z

Weaknesses