Skip to main content

Wegia CVE-2026-40284

| EUVDEUVD-2026-23527 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-17 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 20, 2026 - 19:02 nvd
Patch available
Patch available
Apr 17, 2026 - 21:16 EUVD
Analysis Generated
Apr 17, 2026 - 21:11 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 20:45 euvd
EUVD-2026-23527
Analysis Generated
Apr 17, 2026 - 20:45 vuln.today
CVE Published
Apr 17, 2026 - 20:24 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page, impacting other users. Version 3.6.10 fixes the issue.

AnalysisAI

Stored XSS in WeGIA versions prior to 3.6.10 allows authenticated high-privilege users to inject malicious JavaScript via the Destinatário field, with payloads persisted and executed when other users view the dispatch page. The vulnerability requires administrative or high-privilege authentication but impacts confidentiality of all users accessing affected pages. No public exploit code or active exploitation has been reported.

Technical ContextAI

WeGIA is a web-based management system for charitable institutions built on web technologies vulnerable to improper input sanitization. The vulnerability stems from CWE-79 (Cross-Site Scripting), specifically a stored/persistent XSS flaw where user-supplied input in the Destinatário field is not properly sanitized before storage in the application database or rendered in HTML responses. When the dispatch page is accessed by any user, the malicious JavaScript payload executes in their browser context with their privileges, potentially allowing theft of session tokens, credential harvesting, or unauthorized actions performed on behalf of legitimate users. The attack vector is network-based but requires high-privilege authentication (PR:H per CVSS vector), limiting the threat model to administrative users or those with elevated permissions within the institution.

RemediationAI

Upgrade WeGIA to version 3.6.10 or later immediately. The vendor has released a patched version that addresses the Destinatário field sanitization issue. For organizations unable to upgrade immediately, implement network-level access controls to restrict who can authenticate to WeGIA administrative interfaces, reducing the pool of users capable of injecting payloads. Additionally, configure web application firewall rules to detect and block common XSS payload patterns (e.g., script tags, event handlers) in HTTP requests targeting the Destinatário field endpoint. Apply HTTP Content-Security-Policy headers to restrict script execution to trusted sources only, though this may not fully prevent stored XSS executed server-side. Monitor dispatch page access logs for unusual JavaScript patterns in stored data and manually sanitize existing records if suspected injection has occurred. Consult the GitHub Security Advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5 for additional remediation guidance from the vendor.

More in Wegia

View all
CVE-2025-50201 CRITICAL POC
9.8 Jun 19

Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio

CVE-2025-27140 CRITICAL POC
10.0 Feb 24

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26613 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-55169 CRITICAL POC
10.0 Aug 12

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical

CVE-2025-30364 CRITICAL POC
10.0 Mar 27

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-46828 CRITICAL POC
10.0 May 07

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26612 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26617 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26611 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26609 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26608 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26607 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

Share

CVE-2026-40284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy