CVE-2026-33135 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the WeGIA web management system developed by LabRedesCefetRJ, primarily used by charitable institutions. The vulnerability exists in versions 3.6.6 and earlier within the novo_memorandoo.php endpoint. Specifically, the application reads HTTP GET parameters 'msg' and 'sccs' to display dynamic success messages. When 'msg' equals 'success', the code concatenates the 'sccs' parameter directly into an HTML alert <div> without any sanitization or encoding, allowing an attacker to inject arbitrary JavaScript code. This occurs around line 273 of the source code. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is a common web application security flaw. Exploitation requires no authentication and can be triggered by tricking a user into clicking a crafted URL containing malicious JavaScript in the 'sccs' parameter. The vulnerability has a CVSS 3.1 score of 9.3 (critical), reflecting its high impact on confidentiality and integrity, with no impact on availability. Although no known exploits are reported in the wild yet, the ease of exploitation and severity warrant immediate attention. The issue was addressed and fixed in WeGIA version 3.6.7 by properly sanitizing or encoding the 'sccs' parameter before output.

The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser without requiring authentication. This can lead to theft of session cookies, enabling account hijacking, unauthorized actions on behalf of users, and potential delivery of further malware or phishing attacks. Since WeGIA is used by charitable institutions, exploitation could undermine trust, lead to data breaches involving sensitive donor or beneficiary information, and disrupt organizational operations. The reflected XSS can also facilitate social engineering attacks targeting staff or users. The critical CVSS score indicates a high likelihood of severe confidentiality and integrity impacts. Although availability is not directly affected, the reputational damage and potential regulatory consequences could be significant. Organizations worldwide using affected versions face risks of data compromise and operational disruption if the vulnerability is exploited.

1. Upgrade WeGIA to version 3.6.7 or later immediately to apply the official patch that fixes the XSS vulnerability. 2. Implement strict input validation on all user-supplied data, especially GET parameters, to reject or sanitize unexpected characters. 3. Apply proper output encoding (e.g., HTML entity encoding) when reflecting user input in HTML contexts to prevent script injection. 4. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce impact of XSS attacks. 5. Conduct regular security code reviews and penetration testing focusing on input handling and output encoding. 6. Educate users and staff about the risks of clicking untrusted links, especially those containing suspicious URL parameters. 7. Monitor web server logs for unusual or suspicious requests targeting the novo_memorandoo.php endpoint with 'msg=success' and unusual 'sccs' parameter values. 8. Consider implementing Web Application Firewalls (WAFs) with rules to detect and block reflected XSS attack patterns targeting this endpoint.