Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing actions on behalf of the user. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via backup filename
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the backup filename handling of the WeGIA web manager. An attacker can craft a backup file name containing malicious JavaScript payloads. When the application stores or later displays this filename, the script executes in the victim’s browser, allowing the attacker to steal session cookies, hijack user accounts, or perform actions on behalf of the authenticated user. The weakness is captured by CWE‑79.

Affected Systems

The vulnerability affects the WeGIA system produced by LabRedesCefetRJ, specifically all versions prior to 3.6.9. The web manager is used by charitable institutions to manage their online presence, and the flaw is present in the global installation of the application, not limited to a specific module.

Risk and Exploitability

The CVSS base score of 8.5 classifies the issue as High severity, indicating a significant impact on confidentiality, integrity, and availability. No EPSS score is available, but the lack of a KEV listing suggests that widespread exploitation is not yet documented. The likely attack vector involves the attacker uploading a backup file with a crafted filename; the script executes when that name is rendered in an authenticated session, implying that the attacker must either have upload access or rely on social engineering to trick a user into running the backup interface. The requirement for the victim to view the stored backup file reduces immediate remote exploitation complexity but still poses a substantial risk for compromised accounts.

Generated by OpenCVE AI on April 7, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.9 or later, which removes the vulnerable backup filename handling.
  • If an update is not immediately possible, block or sanitize backup file name inputs to strip scripts before storage or display.

Generated by OpenCVE AI on April 7, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing actions on behalf of the user. This vulnerability is fixed in 3.6.9.
Title WeGIA has Stored XSS in backup file names
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:09:37.423Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35399

cve-icon Vulnrichment

Updated: 2026-04-07T14:52:00.504Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:21.897

Modified: 2026-04-07T16:16:26.047

Link: CVE-2026-35399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:01Z

Weaknesses