WeGIA CVE-2026-40286

| EUVD-2026-23531 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-17 GitHub_M
XSS
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Re-analysis Queued
Apr 17, 2026 - 21:22 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 21:16 EUVD
Analysis Generated
Apr 17, 2026 - 21:11 vuln.today

DescriptionNVD

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) function. By injecting a payload into the 'Member Name' (Nome Sócio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue.

AnalysisAI

Stored Cross-Site Scripting in WeGIA 'Member Registration' function allows remote attackers to inject malicious JavaScript through the 'Member Name' field, achieving persistent code execution in victim browsers without authentication. The payload executes whenever users navigate to affected pages, enabling session hijacking, credential theft, or administrative action execution. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all WeGIA instances in production and document current versions. Within 7 days: Upgrade WeGIA to version 3.6.10 or later on all affected systems. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40286 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy