CVE-2026-33135

Name of the Vulnerable Software and Affected Versions WeGIA versions 3.6.6 and below

Description WeGIA is a web manager for charitable institutions. The software is affected by a Reflected Cross-Site Scripting (XSS) issue in the /novo memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without sanitization or encoding. The /html/memorando/novo memorandoo.php script reads HTTP GET parameters to display dynamic success messages to the user. Specifically, around line 273, the code checks if $ GET['msg'] equals 'success'. If true, it concatenates $ GET['sccs'] into an HTML alert