CVE-2026-23728 in WeGIA
Summary
by MITRE • 01/16/2026
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/31/2026
The vulnerability identified as CVE-2026-23728 represents a critical open redirect flaw within the WeGIA web management platform for charitable institutions. This security weakness exists in versions prior to 3.6.2 and specifically affects the /WeGIA/controle/control.php endpoint. The vulnerability manifests when the nextPage parameter is manipulated in conjunction with the metodo=listarTodos and nomeClasse=DestinoControle parameters, creating a dangerous pathway for malicious redirection attacks. The core issue stems from the application's complete failure to validate or sanitize the nextPage parameter input, allowing arbitrary URLs to be passed through without proper restrictions or verification mechanisms.
The technical exploitation of this vulnerability enables attackers to craft malicious links that appear to originate from the legitimate WeGIA domain while secretly redirecting users to external malicious websites. This open redirect vulnerability operates at the application layer and can be leveraged across multiple attack vectors including phishing campaigns, credential harvesting, and malware distribution. The impact is particularly severe because the redirects occur through the trusted WeGIA domain, making them more likely to be perceived as legitimate by end users and security personnel. The vulnerability falls under CWE-601 which specifically addresses open redirect vulnerabilities and aligns with ATT&CK technique T1566.001 for phishing attacks and T1071.004 for application layer protocol usage.
The operational impact of this vulnerability extends beyond simple redirection, creating significant risks for charitable institutions that rely on WeGIA for their web management. Attackers can exploit this weakness to steal user credentials through credential phishing pages, distribute malware through malicious file downloads, or conduct sophisticated social engineering campaigns that leverage the trust associated with the WeGIA platform. The vulnerability's persistence in versions prior to 3.6.2 indicates a lack of proper input validation controls and security testing during the application's development lifecycle. Organizations using affected versions face heightened risk of data breaches, reputational damage, and potential regulatory compliance violations due to the exposure of user sessions and sensitive institutional data.
The remediation for this vulnerability requires immediate upgrading to version 3.6.2 or later, which implements proper input validation and parameter sanitization for the nextPage field. Security measures should include comprehensive input validation, explicit URL whitelisting, and the implementation of a security policy that restricts redirection to only internal application paths. Organizations should also consider implementing web application firewalls with open redirect detection capabilities and conducting regular security assessments to identify similar vulnerabilities in other application components. The fix addresses the root cause by ensuring that all redirection parameters are properly validated against a known safe list of destinations, preventing attackers from injecting arbitrary URLs that could compromise user security and institutional integrity.