CVE-2026-33136 in WeGIA
Summary
by MITRE • 03/20/2026
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET['msg'] equals 'success'. If this condition is met, it directly concatenates and reflects $_GET['sccd'] into an HTML alert <div>. This issue is resolved in version 3.6.7.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33136 affects WeGIA version 3.6.6 and earlier, a web management system designed for charitable institutions. This application presents a reflected cross-site scripting vulnerability within its memorando module, specifically in the listar_memorandos_ativos.php endpoint. The flaw stems from insufficient input validation and output encoding practices that allow malicious actors to inject arbitrary JavaScript code or HTML content into the application's response. The vulnerability manifests when the application processes the sccd GET parameter without proper sanitization, directly echoing user-supplied input into the HTML response structure. This particular endpoint handles dynamic success messages for users through query string parameters, where the application checks if $_GET['msg'] equals 'success' and then concatenates the $_GET['sccd'] parameter into an HTML alert div element. The absence of proper input validation and output encoding creates an exploitable condition where attackers can craft malicious URLs containing script tags or other HTML content within the sccd parameter. When victims click on these malicious links or the application processes them in a context where the parameter is reflected back to the user, the injected scripts execute in the victim's browser context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This vulnerability aligns with CWE-79, which defines Cross-Site Scripting as a weakness that occurs when an application includes untrusted data in a new web page without proper validation or escaping, allowing attackers to inject client-side scripts. The issue follows the ATT&CK technique T1059.001 for Command and Scripting Interpreter, specifically focusing on JavaScript execution within web browsers. The vulnerability is particularly concerning as it affects the core functionality of the application's user feedback system, where legitimate success messages are displayed to users. Attackers can exploit this by crafting URLs that include malicious payloads in the sccd parameter, which when processed by the vulnerable endpoint, will execute the injected code in the context of the victim's browser session. The reflected nature of this vulnerability means that the malicious script is not stored on the server but rather injected through the HTTP request itself, making it more difficult to detect and prevent through traditional server-side security measures. The fix implemented in version 3.6.7 addresses this issue by properly sanitizing and encoding the sccd parameter before it is reflected back to the user, ensuring that any potentially malicious input is neutralized before being rendered in the HTML response. This remediation follows security best practices for preventing XSS vulnerabilities by implementing proper input validation and output encoding mechanisms. The vulnerability demonstrates the critical importance of input sanitization in web applications, particularly in areas where user feedback and dynamic content are displayed, as these features often become attack vectors when not properly secured. Organizations using this application should immediately upgrade to version 3.6.7 or later to mitigate this security risk, as the vulnerability could be exploited to gain unauthorized access to user sessions and potentially compromise the entire web application environment. The issue represents a significant security concern for charitable institutions that rely on this management system, as the exploitation could lead to unauthorized access to sensitive donor information, financial records, or operational data within the organization's web infrastructure.