CVE-2026-33136
Reflected XSS in WeGIA listar_memorandos_ativos.php Endpoint
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.6.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33136 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in the WeGIA web application, specifically in the listar_memorandos_ativos.php script. The vulnerability occurs because the application takes the value of the sccd GET parameter and directly inserts it into an HTML alert div without any sanitization or encoding.'}, {'type': 'paragraph', 'content': 'When the msg GET parameter equals "success", the script concatenates and reflects the sccd parameter into the HTML response. Since no character encoding functions like htmlspecialchars() or htmlentities() are used, an attacker can inject arbitrary JavaScript or HTML code.'}, {'type': 'paragraph', 'content': "This allows an attacker to craft a URL that, when visited by an authenticated user, executes malicious scripts in the user's browser context."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "If an attacker convinces an authenticated user, such as an administrator or staff member, to click on a specially crafted link exploiting this vulnerability, the injected malicious script will execute within the user's session."}, {'type': 'list_item', 'content': 'Session hijacking by stealing session cookies (e.g., PHPSESSID).'}, {'type': 'list_item', 'content': 'Unauthorized administrative actions performed on behalf of the user.'}, {'type': 'list_item', 'content': 'Redirection of the user to phishing or malicious websites.'}, {'type': 'paragraph', 'content': 'Because the attack vector is network-based and requires low complexity with no privileges needed, the risk is high, and the vulnerability has a CVSS v3.1 base score of 9.3.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the vulnerable endpoint listar_memorandos_ativos.php for reflected Cross-Site Scripting (XSS) via the sccd GET parameter when the msg parameter equals 'success'."}, {'type': 'paragraph', 'content': 'A practical detection method is to send a crafted HTTP request to the endpoint with the parameters msg=success and sccd containing a harmless script payload, then observe if the script is reflected unsanitized in the HTML response.'}, {'type': 'paragraph', 'content': 'For example, you can use curl to test the vulnerability with the following command:'}, {'type': 'list_item', 'content': 'curl -i "https://your-wegia-domain/WeGIA/html/memorando/listar_memorandos_ativos.php?msg=success&sccd=<svg/onload=alert(document.cookie)>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script tag without encoding or sanitization, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the WeGIA application to version 3.6.7 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, consider implementing input sanitization or encoding on the sccd parameter to prevent script injection.
Additionally, educate users to avoid clicking on suspicious or untrusted links that may exploit this vulnerability.