Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Processo de Aceitação (html/atendido/processo_aceitacao.php) page, which is executed when user access the the page, enabling session hijacking and account takeover. This vulnerability is fixed in 3.7.3.
Published: 2026-05-11
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Stored Cross‑Site Scripting flaw exists in the WeGIA web manager, specifically in the Processo de Aceitação page (html/atendido/processo_aceitacao.php). An authenticated user can inject malicious JavaScript that is stored on the server and executed whenever the affected page is loaded, allowing the attacker to hijack user sessions and take over accounts. The weakness is a classic input‑validation flaw (CWE‑79).

Affected Systems

The vendor is LabRedesCefetRJ, product WeGIA. All releases prior to version 3.7.3 are affected; the patch that ends the vulnerability begins with 3.7.3 and newer releases are considered safe. No additional sub‑versions are specified in the advisory.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity. There is no EPSS score reported, and the issue is not listed in the CISA KEV catalog. Because an attacker must first authenticate within the application, the vulnerability is not remotely exploitable in the traditional sense; however, once inside the system, malicious scripts can hijack sessions and compromise other users. The likelihood of exploitation depends on the number of active authenticated users and the organization’s internal threat model.

Generated by OpenCVE AI on May 11, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.7.3 or later to apply the vendor patch that removes the stored‑XSS vulnerability.
  • Validate and sanitize all user‑supplied content before it is rendered in web pages to prevent other pages from unintentionally exposing stored or reflected XSS flaws.
  • Review other application modules (e.g., form submissions, database displays) for similar unsanitized inputs and apply appropriate input‑validation or output‑encoding techniques.

Generated by OpenCVE AI on May 11, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Processo de Aceitação (html/atendido/processo_aceitacao.php) page, which is executed when user access the the page, enabling session hijacking and account takeover. This vulnerability is fixed in 3.7.3.
Title WeGIA: Stored XSS in html/atendido/processo_aceitacao.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:00:24.634Z

Reserved: 2026-05-08T16:58:28.896Z

Link: CVE-2026-45026

cve-icon Vulnrichment

Updated: 2026-05-12T13:00:15.307Z

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:47.070

Modified: 2026-05-12T14:17:08.720

Link: CVE-2026-45026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T21:00:13Z

Weaknesses