Is there a patch available for CVE-2026-35472?

Yes, a patch is available for CVE-2026-35472. Update the affected software to the latest version immediately.

PHP CVE-2026-35472

Q: What is the CVSS score of CVE-2026-35472?

CVE-2026-35472 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19504 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-04-06 security-advisories@github.com

PHP Open Redirect

5.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

3.6.9

EUVD ID Assigned

Apr 06, 2026 - 21:22 euvd

EUVD-2026-19504

Analysis Generated

Apr 06, 2026 - 21:22 vuln.today

CVE Published

Apr 06, 2026 - 21:16 nvd

MEDIUM 5.1

DescriptionNVD

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.

AnalysisAI

Open Redirect vulnerability in WeGIA versions prior to 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external websites via the unvalidated nextPage parameter in the /WeGIA/controle/control.php endpoint when combined with specific parameters (metodo=listarTodos and nomeClasse=EstoqueControle). Attackers can exploit the application's trusted domain to conduct phishing attacks, steal credentials, distribute malware, or execute social engineering campaigns. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35472 vulnerability details – vuln.today

Back

PHP CVE-2026-35472

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-35472

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code