Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page, impacting other users. Version 3.6.10 fixes the issue.
Published: 2026-04-17
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

WeGIA is a web manager for charitable organizations. The vulnerability is a stored cross‑site scripting flaw that occurs when an authenticated user submits a malicious payload through the "Destinatário" field. The input is saved and executed whenever the dispatch page is viewed, which can compromise the confidentiality, integrity, and availability of other users’ sessions by allowing an attacker to run arbitrary JavaScript in their browsers. The weakness is a classic input validation failure, classified as CWE‑79.

Affected Systems

The affected product is WeGIA, a web management system produced by LabRedesCefetRJ. All versions prior to 3.6.10 are vulnerable; version 3.6.10 and later include the fix announced in the vendor advisory.

Risk and Exploitability

The CVSS score of 6.8 categorizes the flaw as moderately severe. The exploitation probability is not quantified because the EPSS score is not available, but the lack of a KEV listing suggests it is not in an active exploit catalog. The flaw can be triggered by any logged‑in user who has permission to edit the "Destinatário" field; if no additional constraints are reported, a broad set of users could be impacted. Attackers would target the dispatch page where the payload is rendered, potentially injecting session‑stealing scripts or defacing content for any user who visits that page.

Generated by OpenCVE AI on April 18, 2026 at 09:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.10 or later, which patches the stored XSS flaw
  • Limit access to the "Destinatário" field to trusted users or roles until the patch can be applied
  • Implement input sanitization or output encoding on the dispatch page to mitigate the effect of any remaining unfiltered input

Generated by OpenCVE AI on April 18, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page, impacting other users. Version 3.6.10 fixes the issue.
Title WeGIA has stored XSS in listar_despachos.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T20:24:10.282Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:34.140

Modified: 2026-04-17T21:16:34.140

Link: CVE-2026-40284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses