Login Sign Up

CVE-2026-23728

6.1 MEDIUM
Open Redirect

📋 TL;DR

WeGIA versions before 3.6.2 contain an open redirect vulnerability in the control.php endpoint. Attackers can manipulate the nextPage parameter to redirect users to malicious external websites, potentially leading to phishing or malware distribution. All WeGIA instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • WeGIA
Versions: All versions prior to 3.6.2
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the control.php endpoint to be accessible, which is typically exposed in standard installations.

📦 What is this software?

Wegia by Wegia

View all CVEs affecting Wegia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users redirected to convincing phishing sites that steal credentials or install malware, leading to account compromise and potential institutional data breaches.

🟠

Likely Case

Attackers use the trusted WeGIA domain to redirect users to phishing pages, increasing success rates for credential harvesting.

🟢

If Mitigated

With proper URL validation, redirects are restricted to trusted domains only, preventing external redirection attacks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting a malicious URL with the vulnerable parameters, which is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.2

Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jf25-p56f-wpgh

Restart Required: No

Instructions:

1. Download WeGIA version 3.6.2 from the official repository. 2. Replace the existing installation files with the patched version. 3. Verify the fix by testing the control.php endpoint.

🔧 Temporary Workarounds

Input Validation via Web Application Firewall

all

Configure WAF rules to block requests containing external URLs in the nextPage parameter.

Endpoint Restriction

all

Restrict access to the /WeGIA/controle/control.php endpoint to trusted IP addresses only.

🧯 If You Can't Patch

  • Implement strict URL validation in the application code to allow only relative or trusted domain redirects.
  • Monitor logs for suspicious redirect patterns and block malicious IP addresses.

🔍 How to Verify

Check if Vulnerable:

Test by accessing a URL like: /WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=DestinoControle&nextPage=http://malicious.example.com and check if redirect occurs.

Check Version:

Check the WeGIA version in the application interface or configuration files.

Verify Fix Applied:

After patching, repeat the vulnerable URL test; it should not redirect to external domains.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to control.php with external URLs in nextPage parameter
  • Unusual redirect patterns in access logs

Network Indicators:

  • Outbound connections to suspicious domains following WeGIA access

SIEM Query:

source="wegia_logs" AND uri="/WeGIA/controle/control.php" AND query="*nextPage=http*"

📊 Metadata

CVE ID: CVE-2026-23728
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601
EPSS Score: 0.03% exploit probability (8.4th percentile)
Published: January 16, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23728, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)