Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header("Location: ...") call. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect via unvalidated redirect parameter
Action: Patch Now
AI Analysis

Impact

A redirect parameter in WeGIA is taken directly from the URL query string without any validation or whitelist checks before being passed to an HTTP header that sends the client to the supplied location. This flaw enables an attacker to supply an arbitrary URL in the redirect field and force users of the web application to be sent to a malicious site. The vulnerability is a classic example of CWE‑601 – Open Redirect, which can be leveraged for phishing, credential theft, or other social engineering attacks against unsuspecting users.

Affected Systems

The flaw is present in all releases of the WeGIA web manager from LabRedesCefetRJ before version 3.6.9. Attackers can exploit any instance of the application running a pre‑3.6.9 release.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, and an EPSS score of less than 1% suggests a low probability of immediate exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, and no exploit has been publicly disclosed. Attackers can craft a malicious URL containing the redirect parameter and deliver it to a target user, potentially through email or other links. The exploit requires no special privileges beyond the user’s ability to visit the crafted link.

Generated by OpenCVE AI on April 10, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.9 or later to apply the vendor fix.

Generated by OpenCVE AI on April 10, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header("Location: ...") call. This vulnerability is fixed in 3.6.9.
Title WeGIA - Open Redirect - backup redirection — Unvalidated $_GET['redirect']
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:40:11.583Z

Reserved: 2026-04-02T20:49:44.453Z

Link: CVE-2026-35475

cve-icon Vulnrichment

Updated: 2026-04-07T13:39:56.951Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:24.340

Modified: 2026-04-10T20:18:42.237

Link: CVE-2026-35475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:34Z

Weaknesses