Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page, impacting other users. Version 3.6.10 fixes the issue.
AnalysisAI
Stored XSS in WeGIA versions prior to 3.6.10 allows authenticated high-privilege users to inject malicious JavaScript via the Destinatário field, with payloads persisted and executed when other users view the dispatch page. The vulnerability requires administrative or high-privilege authentication but impacts confidentiality of all users accessing affected pages. No public exploit code or active exploitation has been reported.
Technical ContextAI
WeGIA is a web-based management system for charitable institutions built on web technologies vulnerable to improper input sanitization. The vulnerability stems from CWE-79 (Cross-Site Scripting), specifically a stored/persistent XSS flaw where user-supplied input in the Destinatário field is not properly sanitized before storage in the application database or rendered in HTML responses. When the dispatch page is accessed by any user, the malicious JavaScript payload executes in their browser context with their privileges, potentially allowing theft of session tokens, credential harvesting, or unauthorized actions performed on behalf of legitimate users. The attack vector is network-based but requires high-privilege authentication (PR:H per CVSS vector), limiting the threat model to administrative users or those with elevated permissions within the institution.
RemediationAI
Upgrade WeGIA to version 3.6.10 or later immediately. The vendor has released a patched version that addresses the Destinatário field sanitization issue. For organizations unable to upgrade immediately, implement network-level access controls to restrict who can authenticate to WeGIA administrative interfaces, reducing the pool of users capable of injecting payloads. Additionally, configure web application firewall rules to detect and block common XSS payload patterns (e.g., script tags, event handlers) in HTTP requests targeting the Destinatário field endpoint. Apply HTTP Content-Security-Policy headers to restrict script execution to trusted sources only, though this may not fully prevent stored XSS executed server-side. Monitor dispatch page access logs for unusual JavaScript patterns in stored data and manually sanitize existing records if suspected injection has occurred. Consult the GitHub Security Advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5 for additional remediation guidance from the vendor.
Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23527