{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35473", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.453Z", "datePublished": "2026-04-06T21:12:35.894Z", "dateUpdated": "2026-04-06T21:12:35.894Z"}, "containers": {"cna": {"title": "WeGIA - Open Redirect - IentradaControle - listarId() - Unvalidated $_GET['nextPage']", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-q72f-4qx3-cvp7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-q72f-4qx3-cvp7"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:12:35.894Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9."}], "source": {"advisory": "GHSA-q72f-4qx3-cvp7", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9."}], "id": "CVE-2026-35473", "lastModified": "2026-04-06T22:16:24.053", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:24.053", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-q72f-4qx3-cvp7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeGIA", "source": "cna", "vendor": "LabRedesCefetRJ"}, "product": "wegia", "vendor": "labredescefetrj"}], "analysis": {"en": {"generated_at": "2026-04-07T02:17:31.868311+00:00", "value": {"mitigation_remediation": ["Upgrade the WeGIA installation to version 3.6.9 or later, which patches the open redirect flaw.", "Validate or sanitize the nextPage parameter to prevent arbitrary redirects.", "After patching, review web application logs for unexpected redirect activity and educate users about phishing risks."], "summary": {"action": "Apply Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of WeGIA produced by LabRedesCefetRJ. Any version earlier than 3.6.9 is susceptible, as the issue was fixed in release 3.6.9. The affected component is the /WeGIA/controle/control.php endpoint, which processes the nextPage parameter when metodo=listarId and nomeClasse=IentradaControle.", "description_and_impact": "WeGIA contains an open redirect flaw in the /WeGIA/controle/control.php endpoint. The flaw is triggered when the nextPage GET parameter is supplied together with metodo=listarId and nomeClasse=IentradaControle. Because the application does not validate or constrain the nextPage value, attackers can redirect users to arbitrary external sites. This vulnerability is classified as CWE-601 (Open Redirect). The resulting redirects enable phishing attacks, credential theft portals, or malware downloads, exploiting the trust placed in the WeGIA domain.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate severity. No EPSS score is available and the flaw is not listed in CISA\u2019s KEV catalog. Attackers can construct a URL with a malicious nextPage value and send it to users who access the vulnerable endpoint, making the attack vector a simple unauthenticated web request. While no public exploit code is known, the potential for social engineering via redirect warrants prompt remediation."}}}}, "created": "2026-04-07T06:54:01.631798+00:00", "updated": "2026-04-07T09:37:00.607941+00:00", "vendors": ["labredescefetrj", "labredescefetrj$PRODUCT$wegia"]}