PHP XSS (CVE-2026-33136)

Overview

A critical security vulnerability, tracked as CVE-2026-33136, has been identified in WeGIA, a web manager for charitable institutions. This flaw is a Reflected Cross-Site Scripting (XSS) vulnerability that affects versions 3.6.6 and below. The issue allows an attacker to inject malicious scripts into web pages viewed by users, potentially compromising their interactions with the application.

Vulnerability Details

The vulnerability exists in the listar_memorandos_ativos.php endpoint. Specifically, the application fails to properly sanitize or encode user input passed through the sccd GET parameter. When a dynamic success message is triggered (by setting msg=success in the URL), the application directly echoes the unsanitized contents of the sccd parameter into the HTML response. This allows an attacker to craft a malicious URL containing JavaScript or HTML payloads in the sccd parameter. When an authenticated user clicks this link, the malicious script executes in their browser context.

Potential Impact

The impact of this vulnerability is severe (CVSS score: 9.3). A successful attack could allow a malicious actor to:

• Steal sensitive session cookies, leading to account takeover.
• Perform actions on behalf of the authenticated user without their consent.
• Deface the application or redirect users to malicious websites.
• Capture keystrokes or harvest confidential data entered by users.

Such exploits are often the first step in a larger attack chain that can lead to a full system compromise or data breach. For insights into real-world consequences of such vulnerabilities, you can review related incidents in our breach reports.

Remediation and Mitigation

The primary and most effective remediation is to upgrade WeGIA to version 3.6.7 or later, where this vulnerability has been resolved. The vendor has corrected the code to properly sanitize the sccd parameter input.

Immediate Actions:

1. Upgrade: All organizations using WeGIA versions 3.6.6 or below must immediately plan and execute an upgrade to version 3.6.7.
2. Input Validation: As a general security practice, ensure all user-supplied input is validated, sanitized, and encoded before being reflected in output.
3. Security Awareness: Educate users to be cautious of unsolicited links, even those that appear to come from within the organization’s domain.

Staying informed about such threats is crucial for maintaining a strong security posture. For the latest updates on vulnerabilities and patches, follow our security news. There is no effective workaround for this flaw; applying the official patch is the only complete solution.