Plattform
php
Komponente
wegia
Behoben in
3.6.8
CVE-2026-33136 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting WeGIA, a web manager for charitable institutions. This vulnerability allows attackers to inject arbitrary JavaScript or HTML tags into the HTML response, potentially compromising user sessions and data. The vulnerability impacts versions 3.6.6 and earlier, and a fix is available in version 3.6.7.
The XSS vulnerability in WeGIA allows an attacker to inject arbitrary JavaScript code into the HTML response when a user accesses the listarmemorandosativos.php endpoint with a malicious sccd parameter. This injected script can then execute in the user's browser, potentially stealing cookies, redirecting the user to a malicious website, or performing actions on their behalf. Successful exploitation could lead to account takeover and unauthorized access to sensitive data within the WeGIA system. The impact is amplified if the system manages sensitive financial or personal information for charitable donors or beneficiaries.
CVE-2026-33136 was publicly disclosed on 2026-03-20. There are currently no known public proof-of-concept exploits available, but the vulnerability's simplicity suggests a high likelihood of exploitation. The vulnerability is not currently listed on CISA KEV. The ease of exploitation makes it a potential target for automated scanning and exploitation campaigns.
Charitable institutions using WeGIA versions 3.6.6 and earlier are at significant risk. Organizations relying on WeGIA for managing donor information or beneficiary data are particularly vulnerable, as a successful XSS attack could lead to data breaches and reputational damage. Shared hosting environments where multiple websites share the same server resources may also be affected if one website is compromised.
• php: Examine access logs for requests to /html/memorando/listarmemorandosativos.php containing unusual or obfuscated characters in the sccd GET parameter.
grep 'sccd=[a-zA-Z0-9><"\;]+' /var/log/apache2/access.log• generic web: Use curl to test the endpoint with a simple XSS payload and observe the response.
curl 'http://wegia-server/html/memorando/listar_memorandos_ativos.php?sccd=<script>alert("XSS")</script>' • generic web: Check response headers for missing or incorrect Content-Security-Policy (CSP) directives, which could allow XSS attacks to succeed.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33136 is to immediately upgrade WeGIA to version 3.6.7 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters or patterns in the sccd parameter. Input validation and sanitization on the server-side for the sccd parameter can also help prevent the injection of malicious code. Thoroughly review and sanitize all user-supplied input before rendering it in the HTML response.
Aktualisieren Sie WeGIA auf Version 3.6.7 oder höher. Diese Version enthält die Korrektur für die XSS-Schwachstelle. Laden Sie die neueste Version vom offiziellen Repository oder der Website des Anbieters herunter.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33136 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA versions 3.6.6 and below, allowing attackers to inject malicious scripts.
You are affected if you are using WeGIA version 3.6.6 or earlier. Upgrade to version 3.6.7 to mitigate the risk.
The recommended fix is to upgrade WeGIA to version 3.6.7. As a temporary workaround, implement input validation and output encoding on the vulnerable endpoint.
While no public exploits are currently known, the vulnerability's simplicity suggests it is likely to be exploited soon.
Refer to the WeGIA official website or security advisories for the latest information and updates regarding CVE-2026-33136.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.