Platform
php
Component
wegia
Fixed in
3.6.8
CVE-2026-33136 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting WeGIA, a web manager for charitable institutions. This vulnerability allows attackers to inject arbitrary JavaScript or HTML tags into the HTML response, potentially compromising user sessions and data. The vulnerability impacts versions 3.6.6 and earlier, and a fix is available in version 3.6.7.
The XSS vulnerability in WeGIA's listarmemorandosativos.php endpoint allows an attacker to inject malicious scripts directly into the web page viewed by other users. By crafting a malicious URL containing a specially crafted sccd GET parameter, an attacker can execute arbitrary JavaScript code in the victim's browser. This could lead to session hijacking, credential theft, defacement of the website, or redirection to malicious sites. The impact is particularly severe as WeGIA is used by charitable institutions, potentially exposing sensitive donor and beneficiary data.
CVE-2026-33136 was publicly disclosed on 2026-03-20. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests it is likely to be exploited. The EPSS score is likely to be medium, given the ease of exploitation and the potential impact on charitable organizations. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33136 is to immediately upgrade WeGIA to version 3.6.7 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the listarmemorandosativos.php endpoint to sanitize user-supplied data. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious JavaScript payloads in the sccd parameter. Regularly review and update WAF rules to ensure they are effective against emerging XSS attack patterns.
Update WeGIA to version 3.6.7 or higher. This version contains the fix for the XSS vulnerability. Download the latest version from the official repository or the vendor's website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33136 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA versions 3.6.6 and below, allowing attackers to inject malicious scripts.
You are affected if you are using WeGIA version 3.6.6 or earlier. Upgrade to version 3.6.7 to mitigate the risk.
The recommended fix is to upgrade WeGIA to version 3.6.7. As a temporary workaround, implement input validation and output encoding on the vulnerable endpoint.
While no public exploits are currently known, the vulnerability's simplicity suggests it is likely to be exploited soon.
Refer to the WeGIA official website or security advisories for the latest information and updates regarding CVE-2026-33136.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.