{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33136", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.928Z", "datePublished": "2026-03-20T10:41:05.336Z", "dateUpdated": "2026-03-20T15:33:03.599Z"}, "containers": {"cna": {"title": "WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xjqp-5q3h-2cxh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xjqp-5q3h-2cxh"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:41:05.336Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET['msg'] equals 'success'. If this condition is met, it directly concatenates and reflects $_GET['sccd'] into an HTML alert <div>. This issue is resolved in version 3.6.7."}], "source": {"advisory": "GHSA-xjqp-5q3h-2cxh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:30:32.653068Z", "id": "CVE-2026-33136", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:33:03.599Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33136", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T15:30:32.653068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:32:58.385Z"}}], "cna": {"title": "WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter", "source": {"advisory": "GHSA-xjqp-5q3h-2cxh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": "< 3.6.7"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xjqp-5q3h-2cxh", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xjqp-5q3h-2cxh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET['msg'] equals 'success'. If this condition is met, it directly concatenates and reflects $_GET['sccd'] into an HTML alert <div>. This issue is resolved in version 3.6.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:41:05.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33136", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:33:03.599Z", "dateReserved": "2026-03-17T20:35:49.928Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:41:05.336Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D7D6601-2E0C-45E4-BD44-829D2FD7F97C", "versionEndExcluding": "3.6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET['msg'] equals 'success'. If this condition is met, it directly concatenates and reflects $_GET['sccd'] into an HTML alert <div>. This issue is resolved in version 3.6.7."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones ben\u00e9ficas. Versiones 3.6.6 e inferiores tienen una vulnerabilidad de cross-site scripting (XSS) reflejado en el endpoint listar_memorandos_ativos.php. Un atacante puede inyectar JavaScript o etiquetas HTML arbitrarias en el par\u00e1metro GET sccd, que luego se refleja directamente en la respuesta HTML sin ninguna sanitizaci\u00f3n o codificaci\u00f3n. El script /html/memorando/listar_memorandos_ativos.php maneja mensajes de \u00e9xito din\u00e1micos para los usuarios utilizando par\u00e1metros de cadena de consulta. Similar a otros endpoints en el m\u00f3dulo Memorando, verifica si $_GET['msg'] es igual a 'success'. Si se cumple esta condici\u00f3n, concatena y refleja directamente $_GET['sccd'] en un de alerta HTML. Este problema se resuelve en la versi\u00f3n 3.6.7."}], "id": "CVE-2026-33136", "lastModified": "2026-03-20T19:23:40.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T11:18:03.527", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xjqp-5q3h-2cxh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeGIA", "source": "cna", "vendor": "LabRedesCefetRJ"}, "product": "wegia", "vendor": "labredescefetrj"}], "analysis": {"en": {"generated_at": "2026-03-20T12:20:49.932265+00:00", "value": {"mitigation_remediation": ["Upgrade WeGIA to version 3.6.7 or newer.", "Verify that the update has been applied by checking the application\u2019s version information or confirming the presence of the fix in the codebase.", "If an immediate upgrade is not feasible, consider blocking or limiting access to the listar_memorandos_ativos.php endpoint or implementing input sanitization on the sccd parameter using a web application firewall.", "Regularly monitor the vendor\u2019s website or security advisories for further updates and confirm that the vulnerability has been removed in subsequent releases.", "Report and investigate any suspicious user activity that may indicate exploitation of reflected XSS in the application."], "summary": {"action": "Immediate Patch", "impact": "Reflected Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Affected vendor: LabRedesCefetRJ. Product: WeGIA web manager. Vulnerable versions: 3.6.6 and below. The issue is resolved in WeGIA version 3.6.7. The vulnerability is present only in releases prior to 3.6.7.", "description_and_impact": "The vulnerability is a Reflected Cross\u2011Site Scripting (XSS) condition in the listar_memorandos_ativos.php endpoint of the WeGIA web manager. The server directly echoes the value of the $_GET['sccd'] parameter into an HTML alert <div> without sanitization or encoding. An attacker can supply arbitrary JavaScript or HTML tags in that parameter, causing the payload to execute in the victim\u2019s browser when the page is displayed. This enables client\u2011side code execution that can steal session cookies, deface the interface, or redirect users to malicious sites. Because the malicious script runs in the context of the victim\u2019s session, it has the potential to exfiltrate sensitive information and hijack sessions, affecting confidentiality and integrity of user data. The impact is limited to the individual victim\u2019s browser session, but it can be exploited against any user who visits the crafted URL.", "risk_and_exploitability": "CVSS score of 9.3 denotes a high severity vulnerability. The EPSS score is not provided, so exact exploit probability cannot be quantified, but the lack of an authentication requirement and the visibility of the vulnerable endpoint make exploitation straightforward. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no public reports of active exploitation at the time of analysis. The likely attack vector is a reflected XSS attack executed via a crafted URL (web). An attacker simply needs to lure or trick a user into visiting a URL containing a malicious sccd value; no user credentials or privileged access are required. Given the high CVSS score, the risk is considered high for any organization running a vulnerable WeGIA instance."}}}}, "created": "2026-03-20T14:13:38.859587+00:00", "updated": "2026-03-20T16:27:18.117907+00:00", "vendors": ["labredescefetrj", "labredescefetrj$PRODUCT$wegia"]}