CVE-2026-6990 - Vulnerability Details

- projeto-siga novo cross site scripting

Description

A vulnerability was found in projeto-siga siga 11.0.3.18. The affected element is an unknown function of the file /sigawf/app/responsavel/novo. Performing a manipulation of the argument Nome/Descrição results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-25

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross‑site scripting flaw exists in projeto‑siga Siga version 11.0.3.18. By submitting a malicious payload in the Nome/Descrição field of the /sigawf/app/responsavel/novo endpoint, an attacker can cause arbitrary script execution in the browser of any user who later views that stored content. This flaw leads to potential session hijacking, defacement, and data theft because the injected script runs with the privileges of the victim's browser session.

Affected Systems

The affected product is projeto‑siga Siga. The vulnerability has been identified specifically in version 11.0.3.18 of the application.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk, while the EPSS score of less than 1 % reflects a relatively low likelihood of exploitation at this time. The flaw is exploitable remotely via the web interface and does not require privileged access; an attacker merely needs to submit a crafted Nome/Descrição value. The vulnerability is not listed in the CISA KEV catalog, but the public disclosure of an active exploit means that exploitation is feasible if the flaw remains unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

projeto-siga

siga

affected

Version	Status	Constraints
`11.0.3.18`	affected	—

No data.

Vendor Product Confidence Versions

Projeto-siga

Siga

100%

Version	Status	Scheme	Platform
`11.0.3.18`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and install the latest oficial release or hotfix from projeto‑siga that sanitizes the Nome/Descrição input.
Implement server‑side validation that encodes or strips script tags and dangerous attributes before storing the field’s value.
Deploy a content‑security‑policy restricting script execution to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 28, 2026 at 05:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel
https://github.com/projeto-siga/siga/
https://github.com/projeto-siga/siga/issues/2491
https://vuldb.com/submit/796647
https://vuldb.com/vuln/359542
https://vuldb.com/vuln/359542/cti

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Projeto-siga Projeto-siga siga
Vendors & Products		Projeto-siga Projeto-siga siga

Mon, 27 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 25 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in projeto-siga siga 11.0.3.18. The affected element is an unknown function of the file /sigawf/app/responsavel/novo. Performing a manipulation of the argument Nome/Descrição results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		projeto-siga novo cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel https://github.com/projeto-siga/siga/ https://github.com/projeto-siga/siga/issues/2491 https://vuldb.com/submit/796647 https://vuldb.com/vuln/359542 https://vuldb.com/vuln/359542/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Projeto-siga Siga

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-25T17:30:15.529Z

Updated: 2026-04-27T12:37:42.038Z

Reserved: 2026-04-24T19:27:32.153Z

Link: CVE-2026-6990

Vulnrichment

Updated: 2026-04-27T12:37:37.018Z

NVD

Status : Deferred

Published: 2026-04-25T18:16:19.077

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6990

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:45:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object