CVE-2026-23726 is an Open Redirect vulnerability classified under CWE-601 found in the WeGIA web management application developed by LabRedesCefetRJ, primarily used by charitable institutions. The vulnerability resides in the /WeGIA/controle/control.php endpoint, specifically in the nextPage parameter when used alongside metodo=listarTodos and nomeClasse=TipoEntradaControle parameters. The application fails to properly validate or restrict the nextPage parameter, enabling an attacker to craft URLs that redirect users to arbitrary external websites. This can be exploited for malicious purposes such as phishing campaigns, credential harvesting, malware distribution, and social engineering attacks by leveraging the trust users place in the legitimate WeGIA domain. The vulnerability is remotely exploitable without requiring authentication but does require user interaction (clicking a malicious link). The CVSS 4.0 vector indicates low attack complexity, no privileges required, and low impact on confidentiality and integrity but some impact on availability and integrity via social engineering. The vulnerability was publicly disclosed on January 16, 2026, and fixed in WeGIA version 3.6.2. No known active exploits have been reported, but the risk remains due to the potential for phishing and redirection attacks. Organizations running versions prior to 3.6.2 should update promptly to mitigate this risk.

For European organizations, especially charitable institutions using WeGIA, this vulnerability poses a risk of users being redirected to malicious websites under attacker control. This can lead to phishing attacks targeting employees, donors, or beneficiaries, potentially resulting in credential theft or malware infections. The trusted nature of the WeGIA domain increases the likelihood of successful social engineering. Although the vulnerability does not directly compromise system confidentiality or integrity, the indirect impact through user deception can lead to data breaches or operational disruptions. The medium severity reflects moderate risk, but the impact can escalate if attackers combine this with other attack vectors. Organizations handling sensitive donor or beneficiary information should be particularly cautious. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize open redirects in phishing campaigns.

1. Upgrade WeGIA to version 3.6.2 or later immediately to apply the official fix that properly validates the nextPage parameter. 2. Implement web application firewall (WAF) rules to detect and block suspicious URL parameters that attempt redirection to external domains. 3. Conduct user awareness training focusing on phishing risks, emphasizing caution when clicking links even from trusted domains. 4. Monitor web server logs for unusual redirect patterns or spikes in traffic to external URLs originating from the vulnerable endpoint. 5. If upgrading is not immediately possible, consider temporarily disabling or restricting access to the vulnerable endpoint or parameters via access controls or URL filtering. 6. Employ URL rewriting or validation mechanisms at the application or proxy level to enforce allowed redirect destinations. 7. Regularly audit and test web applications for open redirect and other injection vulnerabilities as part of security hygiene.