Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect (Phishing & Credential Theft)
Action: Patch
AI Analysis

Impact

The WeGIA web manager contains an unvalidated redirect in its control.php endpoint. When the metodo parameter is set to listarTodos and the nomeClasse to EstoqueControle, the nextPage query string is forwarded directly to the browser. Attacker-controlled values can cause a user to be sent to any external site, enabling phishing, credential harvest, malware delivery, or social‑engineering attacks through a URL that appears to originate from the trusted WeGIA domain.

Affected Systems

Any instance of WeGIA deployed by LabRedesCefetRJ and running a version older than 3.6.9 is affected. The vulnerability manifests when /WeGIA/controle/control.php is accessed with the vulnerable combination of parameters.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk. Exploitation requires no user authentication—an attacker only needs to supply a crafted link. Although the probability of exploitation currently is not quantified, open‑redirects are frequently leveraged in phishing campaigns. Because this issue is not in the known exploited vulnerabilities list, it may be overlooked, but its potential for abuse remains significant.

Generated by OpenCVE AI on April 7, 2026 at 02:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.9 or later.
  • If an upgrade is not yet possible, restrict the nextPage parameter to a whitelist of internal URLs or validate its value using length and domain checks.
  • Monitor web traffic for unexpected redirects or unusual usage of the nextPage parameter.

Generated by OpenCVE AI on April 7, 2026 at 02:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.
Title WeGIA - Open Redirect - EstoqueControle - listarTodos() - Unvalidated $_GET['nextPage']
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:44:36.730Z

Reserved: 2026-04-02T20:49:44.453Z

Link: CVE-2026-35472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:22.040

Modified: 2026-04-07T15:17:44.837

Link: CVE-2026-35472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:03Z

Weaknesses