Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unvalidated open redirect in the WeGIA web manager. Attackers can supply a crafted nextPage parameter to the listarTodos action and cause unsuspecting users to be redirected to arbitrary external sites. This can be used for phishing, credential harvesting, malware delivery, and other social engineering attacks that exploit the trust of the WeGIA domain. The weakness is a classic CWE‑601 type of open redirect.

Affected Systems

WeGIA applications built by LabRedesCefetRJ, specifically versions prior to 3.6.9, are affected. The vulnerability exists in the /WeGIA/controle/control.php endpoint when the nextPage parameter is present together with metodo=listarTodos and nomeClasse=EstoqueControle.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is a web‑browser based attack; an attacker can simply lure a user to a malicious URL that includes the vulnerable parameter. If successful, the user would be redirected to a malicious site, potentially leading to credential theft or malware infection.

Generated by OpenCVE AI on April 9, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.9 or later
  • If an upgrade is not immediately possible, modify the application to validate or restrict the nextPage parameter to internal URLs only
  • Implement monitoring for suspicious redirect activity and educate users about phishing threats

Generated by OpenCVE AI on April 9, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Title WeGIA - Open Redirect - EstoqueControle - listarTodos() - Unvalidated $_GET['nextPage']
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:44:36.730Z

Reserved: 2026-04-02T20:49:44.453Z

Link: CVE-2026-35472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T21:16:22.040

Modified: 2026-04-09T17:38:02.150

Link: CVE-2026-35472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:53Z

Weaknesses