Open redirect in WeGIA - CVE-2026-23730
Published: April 23, 2026
Vulnerability identifier: #VU127307
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23730
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote user to redirect users to arbitrary external websites.
The vulnerability exists due to url redirection to an untrusted site in the control.php endpoint when handling the nextPage parameter with metodo=listarTodos and nomeClasse=ProdutoControle. A remote user can send a specially crafted request to redirect users to arbitrary external websites.
User interaction is required for the victim to follow the crafted link.
How to mitigate CVE-2026-23730
Install security update from vendor's website.