Description
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2.
Published: 2026-01-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side XSS (persistent JavaScript execution)
Action: Immediate patch
AI Analysis

Impact

WeGIA, a web manager for charitable institutions, had a stored cross‑site scripting flaw in the adopters information page before version 3.6.2. The application failed to sanitize input from the "nome" parameter, allowing malicious JavaScript to be stored and automatically executed in the browsers of any user who views the page. This can lead to cookie theft, session hijacking or defacement, and is rated CVSS 5.3 for moderate impact.

Affected Systems

The flaw affects the WeGIA application from LabRedesCefetRJ, specifically all releases prior to 3.6.2. Users running those versions and who have access to the adopters information endpoint are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, while the EPSS score of less than 1% suggests a very low current exploitation probability and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by submitting malicious content into the "nome" field via the cadastro_adotante.php endpoint, which is then persisted in the database. Once stored, any user who visits the adopters information page will have the payload executed, making the attack vector HTTP and requiring write privileges to the adopters data.

Generated by OpenCVE AI on April 18, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the application to WeGIA version 3.6.2 or later where the flaw is fixed.
  • If an upgrade is not feasible, apply input sanitization or output escaping to the "nome" field so that any script tags are neutralized before rendering the HTML table.
  • As a temporary fix, identify and delete or filter existing adopters records that contain untrusted script content from the database.

Generated by OpenCVE AI on April 18, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
Vendors & Products Wegia
Wegia wegia

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2.
Title WeGIA Stored Cross-Site Scripting (XSS) – nome Parameter on Adopters Information Page
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:13:25.373Z

Reserved: 2026-01-15T15:45:01.956Z

Link: CVE-2026-23725

cve-icon Vulnrichment

Updated: 2026-01-16T21:13:18.557Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:50.460

Modified: 2026-01-30T18:29:24.140

Link: CVE-2026-23725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses