Platform
php
Component
wegia
Fixed in
3.6.8
CVE-2026-33135 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting WeGIA, a web manager for charitable institutions. This vulnerability allows attackers to inject arbitrary JavaScript code into the application, potentially compromising user accounts and sensitive data. Versions 3.6.6 and earlier are vulnerable, and a fix is available in version 3.6.7.
The XSS vulnerability in WeGIA arises from insufficient sanitization of user-supplied input in the novo_memorandoo.php endpoint. An attacker can craft a malicious URL containing a JavaScript payload within the sccs GET parameter. When a user clicks this link, the injected script executes in their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or deface the application. The impact can range from minor annoyance to complete account takeover, depending on the attacker's skill and the privileges of the affected user. This vulnerability is particularly concerning for charitable organizations, as it could expose sensitive donor information or disrupt fundraising efforts.
CVE-2026-33135 was publicly disclosed on 2026-03-20. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's simplicity suggests that a POC is likely to emerge. The EPSS score is likely to be medium, given the ease of exploitation and the potential impact on charitable organizations. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33135 is to immediately upgrade WeGIA to version 3.6.7 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript code in the sccs parameter. Input validation and output encoding should be implemented to prevent future XSS vulnerabilities. Regularly review and update the application's security configuration to ensure best practices are followed. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the sccs parameter and verifying that it is properly sanitized.
Update WeGIA to version 3.6.7 or higher. This version contains a fix for the XSS vulnerability. The update can be performed by downloading the new version from the vendor's website or using the built-in update mechanism in the application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33135 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA versions 3.6.6 and below, allowing attackers to inject JavaScript code.
Yes, if you are using WeGIA version 3.6.6 or earlier, you are vulnerable to this XSS attack.
Upgrade WeGIA to version 3.6.7 or later to resolve this vulnerability. Implement a WAF rule as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests it is likely to be targeted.
Refer to the WeGIA official website or security advisories for the latest information and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.