CVE-2026-45335 LabRedesCefetRJ CVE debrief

Who should care

Organizations operating WeGIA instances for charitable institution management, security teams defending against phishing campaigns, and users of WeGIA-based donation or volunteer management platforms

Technical summary

The WeGIA application fails to validate the nextPage parameter in /WeGIA/controle/control.php when processing requests with metodo=listarTodos and nomeClasse=InternoControle. This allows attackers to specify arbitrary URLs for redirection, bypassing same-origin protections and enabling attacks that leverage the trusted domain reputation of the WeGIA instance. The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) with a CVSS 3.1 score of 5.4 (Medium severity). Attack complexity is low, requiring only low privileges and no user interaction beyond following a crafted link.

Defensive priority

medium

Recommended defensive actions

• Upgrade WeGIA to version 3.7.3 or later to remediate the open redirect vulnerability
• Implement server-side validation for the nextPage parameter to restrict redirects to approved domains or paths
• Review access logs for suspicious requests to /WeGIA/controle/control.php with external nextPage values
• Deploy web application firewall rules to detect and block open redirect patterns in the control.php endpoint
• Educate users about verifying destination URLs before entering credentials, even when links appear to originate from trusted internal systems

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-x85f-76c9-qw3x. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. CWE-601 (URL Redirection to Untrusted Site) identified as root cause. Fix version 3.7.3 explicitly stated in advisory.

Official resources