CVE-2026-33135
Published: 20 March 2026
Summary
CVE-2026-33135 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Wegia Wegia. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of HTTP GET parameters like 'sccs' to reject malicious JavaScript injections before they are processed and echoed.
Mandates filtering and encoding of user-supplied data in outputs such as HTML alert divs to prevent arbitrary script execution in the victim's browser.
Directs timely patching of flaws like the unsanitized concatenation in novo_memorandoo.php, as fixed in WeGIA 3.6.7.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS via malicious GET parameter enables crafted phishing links (T1566.002) that trigger user execution (T1204.001) of arbitrary JavaScript (T1059.007) in the browser, directly facilitating session cookie theft (T1539) and browser session hijacking (T1185).
NVD Description
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the…
more
HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7.
Deeper analysisAI
CVE-2026-33135 is a reflected cross-site scripting (XSS) vulnerability affecting WeGIA, an open-source web manager for charitable institutions, in versions 3.6.6 and prior. The flaw resides in the /html/memorando/novo_memorandoo.php endpoint, where the application reads HTTP GET parameters to generate dynamic success messages. Specifically, around line 273, if the 'msg' parameter equals 'success', the 'sccs' parameter is directly concatenated into an HTML alert div and output to the browser without sanitization or encoding, allowing arbitrary JavaScript injection. The vulnerability is rated with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-79.
Any unauthenticated attacker with network access can exploit this issue by crafting a malicious URL that includes a 'msg=success' parameter paired with a JavaScript payload in the 'sccs' parameter. The target user must interact by visiting the link, such as clicking a phishing email or social engineering lure, which triggers the payload execution in their browser context. Successful exploitation enables high-impact confidentiality and integrity violations, such as stealing session cookies, credentials, or sensitive data from the application, or performing actions on behalf of the victim due to the changed scope.
Mitigation is available via upgrade to WeGIA version 3.6.7, where the issue has been addressed. Relevant GitHub resources include the fixing pull request at https://github.com/LabRedesCefetRJ/WeGIA/pull/1459, the release page at https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7, and the security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w5rv-5884-w94v.
Details
- CWE(s)