CVE-2026-33135 in WeGIA
Summary
by MITRE • 03/20/2026
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33135 affects WeGIA, a web management platform designed for charitable institutions, specifically targeting versions 3.6.6 and earlier. This reflected cross-site scripting vulnerability exists within the novo_memorandoo.php endpoint, representing a critical security flaw that allows attackers to execute malicious JavaScript code in the context of a victim's browser. The vulnerability stems from inadequate input validation and sanitization practices within the application's parameter handling mechanisms, creating an exploitable condition that directly compromises user security and application integrity.
The technical implementation of this vulnerability occurs through the improper handling of HTTP GET parameters within the application's dynamic content rendering system. At approximately line 273 of the /html/memorando/novo_memorandoo.php file, the code performs a conditional check where $_GET['msg'] equals 'success' and subsequently concatenates the value of $_GET['sccs'] directly into an HTML alert <div> element without any form of output encoding or sanitization. This direct concatenation pattern represents a classic reflected XSS vulnerability where user-supplied input flows unfiltered through the application's execution path and back into the user's browser context. The vulnerability specifically targets the sccs parameter, which when manipulated by an attacker can inject arbitrary JavaScript code that executes in the victim's browser session.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, defacement of application content, and potential data exfiltration from authenticated user sessions. Attackers can craft malicious URLs containing encoded JavaScript payloads in the sccs parameter that, when visited by a victim, will execute the injected code within the victim's browser context. This creates opportunities for credential theft, unauthorized transactions, or manipulation of charitable institution data through the compromised web interface. The vulnerability particularly affects users who have administrative privileges or access to sensitive charitable data, as the malicious code execution can occur within the context of their authenticated sessions.
The remediation for this vulnerability requires immediate implementation of proper input sanitization and output encoding practices throughout the application's parameter handling code. The fix implemented in version 3.6.7 addresses the core issue by ensuring that all user-supplied input values are properly encoded before being rendered in HTML contexts, preventing the execution of malicious scripts. Security controls should include implementing Content Security Policy headers, employing proper HTML encoding functions for dynamic content, and establishing comprehensive input validation routines that sanitize all GET parameters before processing. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of secure coding practices that should be addressed through proper application security testing and input validation methodologies. The ATT&CK framework categorizes this vulnerability under T1203 - Exploitation for Client Execution, as it enables attackers to execute malicious code within user browsers through web-based attack vectors.