Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover. Version 3.6.10 fixes the issue.
AnalysisAI
Stored Cross-Site Scripting in WeGIA versions prior to 3.6.10 allows authenticated users to inject malicious JavaScript into the Intercorrências notification page, which executes when other users access that page, enabling session hijacking and account takeover. The vulnerability requires user authentication to inject the payload but affects all subsequent viewers of the notification page without additional user interaction. Patch version 3.6.10 resolves the issue.
Technical ContextAI
This is a stored XSS vulnerability (CWE-79) in WeGIA, a web-based management platform for charitable institutions. The vulnerability exists in the Intercorrências (Incidents/Issues) notification functionality where user-supplied input is not properly sanitized or encoded before being stored in a database and later rendered in HTML responses. When a page containing the injected JavaScript is accessed, the browser executes the malicious script in the security context of the viewing user's session, allowing attackers to steal session tokens, cookies, or perform actions on behalf of the victim. The CPE cpe:2.3:a:labredescefetrj:wegia:*:*:*:*:*:*:*:* identifies the affected product family across all versions before 3.6.10.
RemediationAI
Upgrade WeGIA to version 3.6.10 or later, which includes proper input sanitization and output encoding for the Intercorrências notification page. The vendor has released this patched version and it is available from their GitHub repository. If immediate patching is not feasible, implement compensating controls such as: (1) restrict write permissions on the Intercorrências notification feature to trusted administrative users only, reducing the attack surface to authenticated attackers with elevated privileges; (2) implement a Content Security Policy (CSP) header with strict directives (script-src 'self', no inline scripts) to mitigate the impact of any injected JavaScript; (3) enable security headers such as X-XSS-Protection to provide browser-level protection against reflected XSS (though this has limited effect on stored XSS); (4) conduct regular security audits of notification content and review audit logs for suspicious entries. Note that compensating controls do not eliminate the vulnerability and should only be temporary measures until patching is completed.
Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23523