Open Redirect Flaw in WeGIA Web Manager for Charitable Institutions
CVE-2026-23727

4.8MEDIUM

Key Information:

Vendor

Labredescefetrj

Status
Wegia
Vendor
CVE Published:
16 January 2026

What is CVE-2026-23727?

The WeGIA web manager for charitable institutions has an Open Redirect vulnerability in the /WeGIA/controle/control.php endpoint. Specifically, the issue arises from improper validation of the nextPage parameter when used alongside metodo=listarTodos and nomeClasse=TipoSaidaControle. This security weakness allows malicious actors to redirect users to arbitrary external sites, thereby facilitating phishing attacks, credential theft, and malware distribution, all while appearing legitimate through the trusted WeGIA domain. This vulnerability has been addressed in version 3.6.2.

Affected Version(s)

WeGIA < 3.6.2

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisor...
x_refsource_CONFIRM
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
x_refsource_MISC
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.