PHP XSS (CVE-2026-33135)

Overview

A critical security vulnerability has been identified in the WeGIA Web Manager, a platform used for managing charitable institutions. Tracked as CVE-2026-33135, this is a Reflected Cross-Site Scripting (XSS) flaw that affects versions 3.6.6 and below. The issue has been resolved in version 3.6.7.

Vulnerability Details

The vulnerability exists in the novo_memorandoo.php endpoint. Specifically, the application takes user input from the sccs parameter in a web request (a GET parameter) and directly inserts it into the webpage’s HTML code without properly checking or sanitizing it first.

In simple terms, an attacker can craft a malicious link containing JavaScript code. If an administrator or user with privileges clicks this link while logged into WeGIA, the attacker’s script executes within the victim’s browser session. This happens because the vulnerable code (around line 273 in /html/memorando/novo_memorandoo.php) directly echoes the malicious input into a success message alert on the page.

Potential Impact

Rated as CRITICAL with a CVSS score of 9.3, this flaw poses a severe risk. Since WeGIA manages sensitive charitable and institutional data, successful exploitation could allow an attacker to:

• Hijack an administrator’s browser session and gain unauthorized access to the system.
• Perform actions on behalf of the logged-in user, such as creating new users, modifying data, or accessing donor information.
• Deface the application or redirect users to malicious sites. This type of vulnerability is a common vector for initiating larger attacks and data breaches. For insights into how such flaws can lead to incidents, you can review historical breach reports.

Remediation and Mitigation

The primary and mandatory action is to update the WeGIA Web Manager to version 3.6.7 or later immediately. This version contains the necessary fix to properly sanitize the user input.

Action Steps:

1. Update Immediately: All users of WeGIA versions 3.6.6 and below must upgrade to version 3.6.7 without delay. Obtain the update from the official WeGIA distribution channel.
2. No Effective Workaround: Due to the nature of the flaw, there is no reliable configuration-based workaround. Patching is the only complete solution.
3. Security Awareness: Remind users to be cautious of unsolicited links, even those that appear to come from within the organization’s domain.

Staying informed about such vulnerabilities is crucial for maintaining organizational security. For the latest updates on threats and patches, follow our security news section.