{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33135", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.928Z", "datePublished": "2026-03-20T10:38:44.065Z", "dateUpdated": "2026-03-20T13:44:02.877Z"}, "containers": {"cna": {"title": "WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:38:44.065Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7."}], "source": {"advisory": "GHSA-w5rv-5884-w94v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:43:59.114929Z", "id": "CVE-2026-33135", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:44:02.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33135", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:43:59.114929Z"}}}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:43:52.010Z"}}], "cna": {"title": "WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter", "source": {"advisory": "GHSA-w5rv-5884-w94v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": "< 3.6.7"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "name": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:38:44.065Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33135", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:44:02.877Z", "dateReserved": "2026-03-17T20:35:49.928Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:38:44.065Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D7D6601-2E0C-45E4-BD44-829D2FD7F97C", "versionEndExcluding": "3.6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones ben\u00e9ficas. Las versiones 3.6.6 e inferiores tienen una vulnerabilidad de Cross-Site Scripting (XSS) Reflejado en el endpoint novo_memorandoo.php. Un atacante puede inyectar JavaScript arbitrario en el par\u00e1metro GET sccs, el cual es directamente reflejado en la respuesta HTML sin ninguna sanitizaci\u00f3n o codificaci\u00f3n. El script /html/memorando/novo_memorandoo.php lee par\u00e1metros GET HTTP para mostrar mensajes de \u00e9xito din\u00e1micos al usuario. Aproximadamente en la l\u00ednea 273, el c\u00f3digo verifica si $_GET['msg'] es igual a 'success'. Si es verdadero, concatena directamente $_GET['sccs'] en un de alerta HTML y lo env\u00eda al navegador. Este problema ha sido solucionado en la versi\u00f3n 3.6.7."}], "id": "CVE-2026-33135", "lastModified": "2026-03-20T19:25:45.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T11:18:03.360", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1459"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeGIA", "source": "cna", "vendor": "LabRedesCefetRJ"}, "product": "wegia", "vendor": "labredescefetrj"}], "analysis": {"en": {"generated_at": "2026-03-20T12:20:59.548466+00:00", "value": {"mitigation_remediation": ["Upgrade WeGIA to version 3.6.7 or newer", "Verify the upgrade by testing the novo_memorandoo.php endpoint and ensuring no reflected XSS is possible"], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is WeGIA from LabRedesCefetRJ. Versions 3.6.6 and earlier are vulnerable; the issue is resolved in version 3.6.7. No other products or vendors are listed.", "description_and_impact": "WeGIA, a web manager for charitable institutions, contains a Reflected Cross\u2011Site Scripting (XSS) flaw in its novo_memorandoo.php endpoint. The vulnerability is caused by directly echoing the GET parameter \"sccs\" into an HTML alert without any sanitization or encoding. An attacker who can lure a user to a crafted URL can inject arbitrary JavaScript that will execute in the victim\u2019s browser, potentially enabling session hijacking, defacement, or data theft. This is a classic example of CWE\u201179, where reflected input is inadequately handled.", "risk_and_exploitability": "The CVSS score for this flaw is 9.3, indicating critical severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network via the HTTP GET parameter, as the vulnerability is triggered when a user navigates to a URL containing the malicious \"sccs\" value. Exploitation requires the target user\u2019s browser to render the crafted page, making social engineering or phishing a likely delivery method."}}}}, "created": "2026-03-20T14:13:40.235194+00:00", "updated": "2026-03-20T16:27:19.036304+00:00", "vendors": ["labredescefetrj", "labredescefetrj$PRODUCT$wegia"]}