Skip to main content

Wegia CVE-2026-40283

| EUVDEUVD-2026-23525 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-17 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 15:17 nvd
Patch available
Patch available
Apr 17, 2026 - 21:16 EUVD
Analysis Generated
Apr 17, 2026 - 20:38 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 20:15 euvd
EUVD-2026-23525
Analysis Generated
Apr 17, 2026 - 20:15 vuln.today
CVE Published
Apr 17, 2026 - 20:03 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue.

AnalysisAI

Stored XSS in WeGIA patient management system (versions before 3.6.10) allows authenticated high-privilege users to inject malicious JavaScript via the patient name field, with execution occurring when patient records are subsequently viewed. The vulnerability affects all instances of WeGIA prior to version 3.6.10, where the fix has been released. Exploitation requires administrative or high-privilege account access but can compromise confidentiality and session integrity of users viewing affected patient records.

Technical ContextAI

WeGIA is a web-based patient information management system for charitable institutions built on unspecified web frameworks. The vulnerability exists in the patient information page ('Informações Pacientes'), specifically in the 'Nome' (name) field, where user-supplied input is stored without proper sanitization or encoding. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that untrusted user input is reflected or stored and then rendered in HTML context without HTML entity encoding or content security policies. The attack vector is network-based, suggesting the application is accessible over HTTP/HTTPS, though exploitation requires high-privilege authentication (PR:H in CVSS vector), limiting the attacker pool to administrative users or compromised high-privilege accounts within the institution.

RemediationAI

Upgrade WeGIA to version 3.6.10 or later, which includes the fix for input sanitization in the patient name field. For organizations unable to immediately patch, implement network-level restrictions to limit administrative access to the WeGIA application to trusted networks or VPNs, reducing the window for high-privilege account compromise. Additionally, apply a Web Application Firewall (WAF) rule set to detect and block common XSS payload patterns (script tags, event handlers, JavaScript protocols) in form submissions to the patient information endpoint; note that this may block legitimate use of special characters in patient names, requiring testing before production deployment. Enable HTML output encoding in the application configuration if available as a setting. Implement strict Content Security Policy (CSP) headers with 'script-src self' to prevent inline script execution, mitigating XSS impact even if payloads are stored. Monitor administrative audit logs for suspicious modifications to patient records (especially the 'Nome' field with unusual characters or script-like content). The GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr provides official patch details and should be reviewed for any additional guidance.

More in Wegia

View all
CVE-2025-50201 CRITICAL POC
9.8 Jun 19

Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio

CVE-2025-27140 CRITICAL POC
10.0 Feb 24

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26613 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-55169 CRITICAL POC
10.0 Aug 12

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical

CVE-2025-30364 CRITICAL POC
10.0 Mar 27

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-46828 CRITICAL POC
10.0 May 07

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26612 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26617 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26611 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26609 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26608 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26607 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

Share

CVE-2026-40283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy