CVE-2026-23724 - Vulnerability Details

- WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page

Description

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

Published: 2026-01-16

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WeGIA application permits a stored XSS attack through the atendido_idatendido parameter in the occurrence registration page. Data supplied via this parameter is rendered directly within the Atendido selection dropdown without any sanitization. If a malicious user injects script code, that code will be persisted and later executed in the browsers of any user who views the dropdown, potentially allowing theft of session cookies, defacement, or redirection to phishing sites. The weakness is a classic input‑validation failure, identified as CWE‑79.

Affected Systems

The vulnerability exists in all releases of WeGIA prior to 3.6.2. WeGIA is a web manager for charitable institutions that supports web‑based operations such as attendance tracking and case handling. Users running the older versions and employing the occurrence registration feature are at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact with limited impact on confidentiality or integrity, and the EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to inject malicious content into the attendee field, which may be facilitated by any authenticated access that allows data submission. No additional privilege escalation or remote code execution is required, but the consequence is the ability to inject arbitrary client‑side scripts for the victim users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LabRedesCefetRJ

WeGIA

affected

Version	Status	Constraints
`< 3.6.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Wegia	Wegia	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WeGIA to version 3.6.2 or later to apply the vendor‑provided fix for the stored XSS issue.
Apply input validation and output encoding for the atendido_idatendido field in the dropdown, ensuring all rendered data undergoes HTML encoding to prevent future XSS vulnerabilities.
Configure a web application firewall or implement server‑side checks to detect and block malicious script injections in the atendido_idatendido parameter before storage.

Generated by OpenCVE AI on April 18, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq

History

Fri, 30 Jan 2026 18:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wegia:wegia::::::::

Mon, 19 Jan 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wegia Wegia wegia
Vendors & Products		Wegia Wegia wegia

Fri, 16 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.
Title		WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page
Weaknesses		CWE-79
References		https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Wegia Wegia

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-16T19:37:06.349Z

Updated: 2026-01-16T21:33:07.130Z

Reserved: 2026-01-15T15:45:01.955Z

Link: CVE-2026-23724

Vulnrichment

Updated: 2026-01-16T21:33:03.011Z

NVD

Status : Analyzed

Published: 2026-01-16T20:15:50.310

Modified: 2026-01-30T18:29:45.610

Link: CVE-2026-23724

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object