Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue.
AnalysisAI
Stored XSS in WeGIA patient management system (versions before 3.6.10) allows authenticated high-privilege users to inject malicious JavaScript via the patient name field, with execution occurring when patient records are subsequently viewed. The vulnerability affects all instances of WeGIA prior to version 3.6.10, where the fix has been released. Exploitation requires administrative or high-privilege account access but can compromise confidentiality and session integrity of users viewing affected patient records.
Technical ContextAI
WeGIA is a web-based patient information management system for charitable institutions built on unspecified web frameworks. The vulnerability exists in the patient information page ('Informações Pacientes'), specifically in the 'Nome' (name) field, where user-supplied input is stored without proper sanitization or encoding. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that untrusted user input is reflected or stored and then rendered in HTML context without HTML entity encoding or content security policies. The attack vector is network-based, suggesting the application is accessible over HTTP/HTTPS, though exploitation requires high-privilege authentication (PR:H in CVSS vector), limiting the attacker pool to administrative users or compromised high-privilege accounts within the institution.
RemediationAI
Upgrade WeGIA to version 3.6.10 or later, which includes the fix for input sanitization in the patient name field. For organizations unable to immediately patch, implement network-level restrictions to limit administrative access to the WeGIA application to trusted networks or VPNs, reducing the window for high-privilege account compromise. Additionally, apply a Web Application Firewall (WAF) rule set to detect and block common XSS payload patterns (script tags, event handlers, JavaScript protocols) in form submissions to the patient information endpoint; note that this may block legitimate use of special characters in patient names, requiring testing before production deployment. Enable HTML output encoding in the application configuration if available as a setting. Implement strict Content Security Policy (CSP) headers with 'script-src self' to prevent inline script execution, mitigating XSS impact even if payloads are stored. Monitor administrative audit logs for suspicious modifications to patient records (especially the 'Nome' field with unusual characters or script-like content). The GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr provides official patch details and should be reviewed for any additional guidance.
Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23525