Skip to main content

Wegia CVE-2026-40282

| EUVDEUVD-2026-23523 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-17 GitHub_M
6.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Patch released
Apr 20, 2026 - 19:02 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 23:47 vuln.today
Patch available
Apr 17, 2026 - 21:16 EUVD
EUVD ID Assigned
Apr 17, 2026 - 20:45 euvd
EUVD-2026-23523
Analysis Generated
Apr 17, 2026 - 20:45 vuln.today
CVE Published
Apr 17, 2026 - 20:16 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover. Version 3.6.10 fixes the issue.

AnalysisAI

Stored Cross-Site Scripting in WeGIA versions prior to 3.6.10 allows authenticated users to inject malicious JavaScript into the Intercorrências notification page, which executes when other users access that page, enabling session hijacking and account takeover. The vulnerability requires user authentication to inject the payload but affects all subsequent viewers of the notification page without additional user interaction. Patch version 3.6.10 resolves the issue.

Technical ContextAI

This is a stored XSS vulnerability (CWE-79) in WeGIA, a web-based management platform for charitable institutions. The vulnerability exists in the Intercorrências (Incidents/Issues) notification functionality where user-supplied input is not properly sanitized or encoded before being stored in a database and later rendered in HTML responses. When a page containing the injected JavaScript is accessed, the browser executes the malicious script in the security context of the viewing user's session, allowing attackers to steal session tokens, cookies, or perform actions on behalf of the victim. The CPE cpe:2.3:a:labredescefetrj:wegia:*:*:*:*:*:*:*:* identifies the affected product family across all versions before 3.6.10.

RemediationAI

Upgrade WeGIA to version 3.6.10 or later, which includes proper input sanitization and output encoding for the Intercorrências notification page. The vendor has released this patched version and it is available from their GitHub repository. If immediate patching is not feasible, implement compensating controls such as: (1) restrict write permissions on the Intercorrências notification feature to trusted administrative users only, reducing the attack surface to authenticated attackers with elevated privileges; (2) implement a Content Security Policy (CSP) header with strict directives (script-src 'self', no inline scripts) to mitigate the impact of any injected JavaScript; (3) enable security headers such as X-XSS-Protection to provide browser-level protection against reflected XSS (though this has limited effect on stored XSS); (4) conduct regular security audits of notification content and review audit logs for suspicious entries. Note that compensating controls do not eliminate the vulnerability and should only be temporary measures until patching is completed.

More in Wegia

View all
CVE-2025-50201 CRITICAL POC
9.8 Jun 19

Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio

CVE-2025-27140 CRITICAL POC
10.0 Feb 24

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26613 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-55169 CRITICAL POC
10.0 Aug 12

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical

CVE-2025-30364 CRITICAL POC
10.0 Mar 27

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-46828 CRITICAL POC
10.0 May 07

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26612 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26617 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26611 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26609 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26608 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26607 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

Share

CVE-2026-40282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy