Description
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing actions on behalf of the user. This vulnerability is fixed in 3.6.9.
Published: 2026-04-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side script execution
Action: Patch ASAP
AI Analysis

Impact

A stored cross‑site scripting flaw lets attackers place JavaScript code inside a backup file name. When a user opens that backup, the browser runs the embedded script, which can capture session cookies or perform actions in the victim’s context.

Affected Systems

The flaw exists in the WeGIA web manager from LabRedesCefetRJ for all releases older than version 3.6.9.

Risk and Exploitability

The vulnerability scores an 8.5 on CVSS, indicating high severity, while the EPSS score is below 1 %, showing a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers likely need to create a malicious backup file name and get the target to load that backup; the input is not automatically sanitized, so the attack is feasible when the user interacts with the file.

Generated by OpenCVE AI on April 9, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WeGIA to version 3.6.9 or later
  • If an immediate update is not possible, delete or rename any backup files that contain user‑supplied names before opening them
  • Apply server‑side validation to reject or sanitize backup file names until a patch is available

Generated by OpenCVE AI on April 9, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing actions on behalf of the user. This vulnerability is fixed in 3.6.9.
Title WeGIA has Stored XSS in backup file names
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:09:37.423Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35399

cve-icon Vulnrichment

Updated: 2026-04-07T14:52:00.504Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T21:16:21.897

Modified: 2026-04-09T17:39:04.413

Link: CVE-2026-35399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:52Z

Weaknesses