Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) function. By injecting a payload into the 'Member Name' (Nome Sócio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue.
Published: 2026-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A stored Cross‑Site Scripting flaw was discovered in the Member Registration function of WeGIA. By entering a malicious script into the Member Name field, the payload is permanently saved to the database and subsequently executed whenever a user visits certain URLs. Consequently, an attacker that can insert such a payload can run arbitrary JavaScript code in the context of other users’ browsers, potentially leading to session hijacking, credential theft, or the execution of malicious actions on behalf of those users.

Affected Systems

The vulnerability affects the WeGIA web manager produced by LabRedesCefetRJ. Versions earlier than 3.6.10 are impacted; version 3.6.10 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to submit data to the Member Registration form, after which the script is stored and later rendered to other users visiting affected pages—an attack vector that does not necessitate additional privileges beyond registering a member or at least having write access to that form.

Generated by OpenCVE AI on April 18, 2026 at 08:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.6.10 or later to eliminate the stored XSS flaw
  • Ensure that the new release properly sanitizes or encodes all user‑supplied data before storing or rendering it, preventing scripts from being embedded in the database
  • Deploy a strong Content Security Policy that blocks inline scripting and restricts script execution to trusted origins, minimizing the impact if a similar issue is introduced in the future

Generated by OpenCVE AI on April 18, 2026 at 08:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) function. By injecting a payload into the 'Member Name' (Nome Sócio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue.
Title WeGIA has Cross-Site Scripting in Controle de Contribuição
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T20:27:59.131Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40286

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:34.430

Modified: 2026-04-17T21:16:34.430

Link: CVE-2026-40286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses