Clickjacking Vulnerability Severity CVSS v3 base metrics: 4.3 / 10 Affected Versions <= 3.6.1 Patched Versions 3.6.2 Summary The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects. Details The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular: X-Frame-Options is missing Content-Security-Policy with frame-ancestors directive is not configured Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. Impact This vulnerability allows attackers to: Perform UI redressing attacks, tricking users into clicking hidden or disguised elements Trigger unauthorized actions using the victim's active session Manipulate sensitive workflows such as creation, deletion, modification, or approval of records Conduct phishing-like attacks by overlaying deceptive prompts or forms Embed the application into malicious pages to increase the effectiveness of social engineering attacks Recommendation Configure the X-Frame-Options header (DENY or SAMEORIGIN) and implement a CSP policy using frame-ancestors 'self' to prevent unauthorized framing. Ensure both protections are applied across all endpoints to fully mitigate the missing anti-framing controls. CVSS v3 Base Metrics Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: None CVE ID CVE-2026-23731 Weaknesses CWE-1021 Credits Reporter: volksec Remediation Developer: GabrielPintoSouza