EUVD-2026-13680CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3Description
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7.
Analysis
A Reflected Cross-Site Scripting (XSS) vulnerability exists in WeGIA, a web manager for charitable institutions. Versions 3.6.6 and below are affected through the novo_memorandoo.php endpoint, where an attacker can inject arbitrary JavaScript via the sccs GET parameter without sanitization. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running WeGIA 3.6.6 or below and restrict external access to the novo_memorandoo.php endpoint. Within 7 days: Implement Web Application Firewall (WAF) rules blocking suspicious 'sccs' parameter values and monitor for exploitation attempts; contact vendor for patch timeline and interim guidance. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today