CVE-2026-33136 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WeGIA web management software developed by LabRedesCefetRJ. The issue affects versions 3.6.6 and earlier. Specifically, the vulnerability resides in the listar_memorandos_ativos.php endpoint, which handles dynamic success messages via query string parameters. When the msg GET parameter equals 'success', the application directly concatenates and reflects the sccd GET parameter into an HTML alert <div> without any sanitization or encoding. This improper neutralization of input allows an attacker to craft a malicious URL containing arbitrary JavaScript or HTML code in the sccd parameter. When a user clicks this URL, the injected script executes in the victim's browser context, potentially leading to theft of session cookies, redirection to malicious sites, or execution of unauthorized actions on behalf of the user. The vulnerability does not require authentication but does require user interaction (clicking a crafted link). The CVSS v3.1 score is 9.3 (critical), reflecting high impact on confidentiality and integrity, with network attack vector, low attack complexity, no privileges required, and user interaction needed. The flaw was publicly disclosed on March 20, 2026, and fixed in version 3.6.7 of WeGIA. No known exploits in the wild have been reported yet. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those handling user-supplied data in dynamic HTML contexts.

The impact of CVE-2026-33136 is significant for organizations using WeGIA versions prior to 3.6.7, particularly charitable institutions relying on this software for managing sensitive communications and documents. Successful exploitation can lead to theft of user credentials or session tokens, enabling attackers to impersonate legitimate users and access sensitive information or perform unauthorized actions. This compromises confidentiality and integrity of data. Additionally, attackers can use the vulnerability to deliver malware or phishing content, potentially leading to broader network compromise. Since the vulnerability is reflected XSS, it requires user interaction, but the low attack complexity and lack of authentication make large-scale phishing campaigns feasible. Organizations may face reputational damage, regulatory penalties, and operational disruption if attackers leverage this flaw. The vulnerability also poses risks to end users who may be targeted via crafted URLs. Given the critical CVSS score, the threat is severe and demands prompt remediation.

Organizations should immediately upgrade WeGIA to version 3.6.7 or later, where the vulnerability is patched. Until upgrading is possible, implement web application firewall (WAF) rules to detect and block suspicious requests containing script tags or unusual payloads in the sccd parameter. Employ strict input validation on all GET parameters, especially those reflected in HTML responses, ensuring only expected characters are accepted. Apply context-aware output encoding (e.g., HTML entity encoding) before reflecting user input in web pages to prevent script execution. Educate users to be cautious about clicking unsolicited links, especially those containing query parameters. Conduct regular security assessments and code reviews focusing on input handling and output encoding. Monitor logs for unusual access patterns to the vulnerable endpoint. Consider implementing Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of XSS attacks. Finally, maintain an incident response plan to quickly address any exploitation attempts.