Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45335

CVE-2026-45335: WeGIA Open Redirect Vulnerability

CVE-2026-45335 is an open redirect flaw in WeGIA web manager that allows attackers to redirect users to malicious sites via the nextPage parameter. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-45335 Overview

CVE-2026-45335 is an Open Redirect vulnerability [CWE-601] in WeGIA, a web manager used by charitable institutions. The flaw exists in the /WeGIA/controle/control.php endpoint and is triggered through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=InternoControle. The application fails to validate or restrict the nextPage value, letting attackers redirect authenticated users to arbitrary external domains. The issue affects WeGIA versions prior to 3.7.3 and is fixed in version 3.7.3.

Critical Impact

Attackers can abuse the trusted WeGIA domain to redirect users to attacker-controlled sites, enabling phishing, credential theft, malware distribution, and social engineering campaigns.

Affected Products

  • WeGIA web manager versions prior to 3.7.3
  • Deployments using the /WeGIA/controle/control.php endpoint
  • Charitable institution portals built on the WeGIA platform

Discovery Timeline

  • 2026-05-27 - CVE-2026-45335 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45335

Vulnerability Analysis

The vulnerability resides in the control.php controller of the WeGIA application. When the controller receives a request containing metodo=listarTodos and nomeClasse=InternoControle, it consumes the nextPage parameter to determine where to send the user after processing. The controller treats the parameter as a trusted destination and performs a redirect without validating that the target points to an internal application route.

An attacker crafts a URL on the legitimate WeGIA host that embeds an external destination in nextPage. A victim clicking the link reaches the genuine WeGIA domain, passes any authentication checks, and is then redirected to the attacker-controlled site. The victim sees the institution's trusted hostname in the original link, which strengthens phishing pretexts.

Root Cause

The root cause is missing destination validation on a user-controlled redirect parameter, classified under [CWE-601] URL Redirection to Untrusted Site. The controller does not enforce an allow-list of internal paths, does not verify the host component, and does not strip absolute URLs from nextPage before issuing the redirect.

Attack Vector

Exploitation requires network access to the WeGIA instance and low-privileged authenticated context. No user interaction is needed beyond clicking the malicious link. An attacker constructs a request to /WeGIA/controle/control.php with metodo=listarTodos, nomeClasse=InternoControle, and a nextPage value pointing to an external attacker domain. The application responds with a redirect to that domain, enabling credential harvesting pages or malware delivery hosted under the appearance of WeGIA.

No public proof-of-concept exploit is listed for this CVE. See the GitHub Security Advisory GHSA-x85f-76c9-qw3x for vendor technical details.

Detection Methods for CVE-2026-45335

Indicators of Compromise

  • HTTP requests to /WeGIA/controle/control.php containing nextPage values that begin with http://, https://, //, or other absolute URL schemes.
  • Web server access logs showing 302 or 301 responses from control.php with Location headers pointing to external domains.
  • Referrer logs on external systems showing inbound traffic from the WeGIA host immediately following a redirect.

Detection Strategies

  • Inspect web access logs for control.php requests pairing metodo=listarTodos and nomeClasse=InternoControle with nextPage parameter values resolving outside the trusted application domain.
  • Deploy a Web Application Firewall (WAF) rule that flags or blocks redirect parameters containing absolute URLs or protocol-relative paths.
  • Correlate user click events from phishing email gateways with WeGIA outbound redirects to identify abuse campaigns.

Monitoring Recommendations

  • Monitor outbound Location headers from the WeGIA application and alert on any header whose host does not match the configured application host.
  • Track anomalous spikes in traffic to control.php with diverse nextPage values, which can indicate spraying by phishing operators.
  • Forward web server and application logs to a centralized analytics pipeline for retroactive hunting on the nextPage parameter pattern.

How to Mitigate CVE-2026-45335

Immediate Actions Required

  • Upgrade WeGIA to version 3.7.3 or later, which contains the official fix.
  • Audit existing web server logs for prior abuse of the nextPage parameter and notify affected users if external redirects are found.
  • Apply a temporary WAF rule blocking absolute URLs in the nextPage parameter until the patched version is deployed.

Patch Information

The maintainers released the fix in WeGIA 3.7.3. The patched version validates the nextPage parameter before performing the redirect. Refer to the GitHub Security Advisory GHSA-x85f-76c9-qw3x for the official advisory and patch references.

Workarounds

  • Restrict access to /WeGIA/controle/control.php through reverse proxy or WAF rules that reject nextPage values containing ://, leading //, or non-relative paths.
  • Enforce an allow-list of internal redirect targets at the reverse proxy layer, rejecting any redirect whose Location host differs from the application host.
  • Train staff to inspect post-login URLs and report unexpected redirects originating from the WeGIA domain.
bash
# Example NGINX rule to block absolute URLs in the nextPage parameter
if ($arg_nextPage ~* "^(https?:)?//") {
    return 400;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.