Description
WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=InternoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.7.3.
Published: 2026-05-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Open Redirect flaw exists in the /WeGIA/controle/control.php endpoint of the WeGIA application when the nextPage parameter is used with metodo=listarTodos and nomeClasse=InternoControle. The application does not validate or constrain nextPage, enabling an attacker to redirect a user to any arbitrary external site. This can be leveraged for phishing, credential theft, malware delivery, or social‑engineering attacks that exploit the trusted WeGIA domain.

Affected Systems

The vulnerability affects instances of the WeGIA web manager provided by LabRedesCefetRJ, up to version 3.7.2. Versions 3.7.3 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate risk. No EPSS data is available, and the vulnerability is not in the CISA KEV catalog. An attacker can abuse the flaw by simply visiting a crafted URL; no special authentication or privileged access is required, making it highly likely to be exploited in the field.

Generated by OpenCVE AI on May 27, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.7.3 or later, which removes the unvalidated nextPage parameter.
  • If an immediate upgrade is not possible, configure a web application firewall or reverse proxy to block or whitelist the upcoming allowed nextPage values exclusively, rejecting all other redirect targets.
  • Continuously monitor application logs and user traffic for suspicious redirects or indicators of phishing campaigns targeting the WeGIA domain.

Generated by OpenCVE AI on May 27, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=InternoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.7.3.
Title WeGIA: Middleware whitelist bypass → open redirect via InternoControle.nextPage
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:37:38.018Z

Reserved: 2026-05-11T21:40:08.176Z

Link: CVE-2026-45335

cve-icon Vulnrichment

Updated: 2026-05-28T14:36:24.140Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:40.373

Modified: 2026-05-28T16:16:26.203

Link: CVE-2026-45335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')