Login Sign Up

CVE-2026-23729

6.1 MEDIUM
Open Redirect

📋 TL;DR

WeGIA versions before 3.6.2 contain an open redirect vulnerability in the control.php endpoint. Attackers can manipulate the nextPage parameter to redirect users to malicious external websites, potentially leading to phishing or malware distribution. All WeGIA instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • WeGIA
Versions: All versions prior to 3.6.2
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the control.php endpoint to be accessible with the specific parameters.

📦 What is this software?

Wegia by Wegia

View all CVEs affecting Wegia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users redirected to convincing phishing sites that steal credentials or install malware, leading to full system compromise or data breach.

🟠

Likely Case

Phishing campaigns using the trusted WeGIA domain to trick users into visiting malicious sites or downloading malware.

🟢

If Mitigated

Users might see unexpected redirects but no direct compromise if they don't interact with malicious content.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple parameter manipulation with no authentication required makes exploitation trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.2

Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w88p-v7h6-m728

Restart Required: No

Instructions:

1. Backup current installation. 2. Download WeGIA 3.6.2 from GitHub releases. 3. Replace vulnerable files with patched version. 4. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to restrict nextPage parameter to allowed domains only.

Modify control.php to validate nextPage against whitelist of internal URLs

URL Rewrite Rule

all

Block or sanitize malicious redirect attempts at web server level.

Add rewrite rule in .htaccess or nginx config to filter suspicious nextPage values

🧯 If You Can't Patch

  • Implement WAF rules to block requests with external URLs in nextPage parameter
  • Monitor logs for unusual redirect patterns and alert on suspicious activity

🔍 How to Verify

Check if Vulnerable:

Test by accessing /WeGIA/controle/control.php?metodo=listarDescricao&nomeClasse=ProdutoControle&nextPage=http://external-malicious-site.com and check if redirect occurs.

Check Version:

Check WeGIA version in admin panel or read version file if available.

Verify Fix Applied:

After patching, repeat the test above - should result in error or no redirect to external site.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to control.php with external URLs in nextPage parameter
  • Unusual redirect patterns in access logs

Network Indicators:

  • Outbound connections from WeGIA server to unexpected external domains following control.php requests

SIEM Query:

source="wegia_logs" AND uri="/WeGIA/controle/control.php" AND query="*nextPage=http*"

📊 Metadata

CVE ID: CVE-2026-23729
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601
EPSS Score: 0.03% exploit probability (8.4th percentile)
Published: January 16, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23729, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)