Is there a patch available for CVE-2026-35398?

Yes, a patch is available for CVE-2026-35398. Update the affected software to the latest version immediately.

PHP CVE-2026-35398

Q: What is the CVSS score of CVE-2026-35398?

CVE-2026-35398 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19498 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-04-06 security-advisories@github.com

PHP Open Redirect

5.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

3.6.9

EUVD ID Assigned

Apr 06, 2026 - 21:22 euvd

EUVD-2026-19498

Analysis Generated

Apr 06, 2026 - 21:22 vuln.today

CVE Published

Apr 06, 2026 - 21:16 nvd

MEDIUM 5.1

DescriptionNVD

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos & listarId_Nome and nomeClasse=OrigemControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.

AnalysisAI

Open redirect vulnerability in WeGIA versions prior to 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external websites via the nextPage parameter in the /WeGIA/controle/control.php endpoint. By combining this with specific query parameters (metodo=listarTodos, listarId_Nome, nomeClasse=OrigemControle), attackers can leverage the trusted WeGIA domain for phishing, credential harvesting, malware distribution, and social engineering attacks. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35398 vulnerability details – vuln.today

Back

PHP CVE-2026-35398

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-35398

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code