CVE-2026-33136

Name of the Vulnerable Software and Affected Versions WeGIA versions 3.6.6 and below

Description WeGIA is a web manager for charitable institutions. The application contains a Reflected Cross-Site Scripting (XSS) issue in the /html/memorando/listar memorandos ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter. This parameter is then directly echoed into the HTML response without proper sanitization or encoding. The script handles dynamic success messages to users using query string parameters, specifically checking if $ GET['msg'] equals 'success'. If true, it concatenates and reflects $ GET['sccd'] into an HTML alert