CVE-2026-23726
📋 TL;DR
This CVE describes an open redirect vulnerability in WeGIA web management software for charitable institutions. Attackers can redirect users to malicious external websites via the /WeGIA/controle/control.php endpoint, potentially enabling phishing and credential theft. All WeGIA installations prior to version 3.6.2 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to convincing phishing sites that steal credentials or distribute malware, leading to account compromise, data breaches, or ransomware infections.
Likely Case
Attackers use the trusted WeGIA domain to redirect users to phishing pages, increasing success rates for credential harvesting campaigns.
If Mitigated
With proper URL validation and user awareness training, impact is limited to failed redirect attempts that may still erode user trust.
🎯 Exploit Status
Exploitation requires no authentication and involves simple URL manipulation, making it trivial for attackers to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.2
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h7qx-j7g3-7fx3
Restart Required: Yes
Instructions:
1. Backup current WeGIA installation and database. 2. Download WeGIA 3.6.2 from the official repository. 3. Replace existing files with the patched version. 4. Restart the web server service.
🔧 Temporary Workarounds
Web Server URL Rewrite Rule
allBlock or redirect requests containing malicious nextPage parameters at the web server level.
# Apache example: RewriteEngine On
RewriteCond %{QUERY_STRING} nextPage=.*http [NC]
RewriteRule ^WeGIA/controle/control\.php$ - [F,L]
# Nginx example: location ~ ^/WeGIA/controle/control\.php$ { if ($args ~* "nextPage=.*http") { return 403; } }
🧯 If You Can't Patch
- Implement WAF rules to block requests with external URLs in the nextPage parameter.
- Disable or restrict access to the /WeGIA/controle/control.php endpoint if not required for operations.
🔍 How to Verify
Check if Vulnerable:
Test by accessing the endpoint with an external URL: /WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=TipoEntradaControle&nextPage=https://evil.comCheck Version:
Check the WeGIA version in the application interface or review the source code version files.Verify Fix Applied:
After patching, repeat the vulnerable test - it should no longer redirect to external domains.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to control.php with nextPage parameter containing external domains
- Unusual redirect patterns in access logs
Network Indicators:
- Outbound connections from WeGIA server to unexpected external domains following control.php requests
SIEM Query:
source="web_logs" AND uri_path="/WeGIA/controle/control.php" AND query_string="*nextPage=*http*"