Skip to main content

Wegia CVE-2026-40286

| EUVDEUVD-2026-23531 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-17 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Patch released
Apr 20, 2026 - 19:02 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 21:22 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 21:16 EUVD
Analysis Generated
Apr 17, 2026 - 21:11 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 20:45 euvd
EUVD-2026-23531
Analysis Generated
Apr 17, 2026 - 20:45 vuln.today
CVE Published
Apr 17, 2026 - 20:27 nvd
HIGH 7.5

DescriptionGitHub Advisory

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) function. By injecting a payload into the 'Member Name' (Nome Sócio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue.

AnalysisAI

Stored Cross-Site Scripting in WeGIA 'Member Registration' function allows remote attackers to inject malicious JavaScript through the 'Member Name' field, achieving persistent code execution in victim browsers without authentication. The payload executes whenever users navigate to affected pages, enabling session hijacking, credential theft, or administrative action execution. Version 3.6.10 provides a vendor-released patch. No public exploit identified at time of analysis, though exploitation is straightforward given the unauthenticated attack vector (CVSS AV:N/PR:N).

Technical ContextAI

WeGIA (Web Manager for Charitable Institutions) is a PHP-based web application developed by LabRedesCefetRJ for managing non-profit organizations. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input in the 'Nome Sócio' (Member Name) database field is not sanitized before storage or output encoding before rendering. This allows JavaScript payloads to persist in the application's database and execute in the context of any user's browser session when viewing member records. The affected component is cpe:2.3:a:labredescefetrj:wegia versions prior to 3.6.10. Unlike reflected XSS, stored XSS persists across sessions and affects all users who view the poisoned data, making it particularly dangerous in multi-user administrative interfaces.

RemediationAI

Upgrade to WeGIA version 3.6.10 or later, which contains input validation and output encoding fixes for the Member Name field. The patch is available through the official GitHub repository at https://github.com/LabRedesCefetRJ/WeGIA. If immediate patching is not feasible, implement compensating controls: (1) restrict access to the member registration function to authenticated, trusted users only via web server access controls or application-level permissions - this prevents anonymous attackers from injecting payloads but limits legitimate registration workflows; (2) deploy a Web Application Firewall (WAF) with XSS signature detection to filter script tags in POST requests to registration endpoints - note this is bypassable with encoding techniques and adds latency; (3) implement Content Security Policy (CSP) headers with 'script-src self' to prevent inline JavaScript execution - this may break existing legitimate inline scripts requiring code refactoring. Verify the fix post-upgrade by testing script injection in the Member Name field and confirming proper HTML entity encoding in rendered output.

More in Wegia

View all
CVE-2025-50201 CRITICAL POC
9.8 Jun 19

Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio

CVE-2025-27140 CRITICAL POC
10.0 Feb 24

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26613 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-55169 CRITICAL POC
10.0 Aug 12

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical

CVE-2025-30364 CRITICAL POC
10.0 Mar 27

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-46828 CRITICAL POC
10.0 May 07

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2025-26612 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26617 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26611 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26609 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26608 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

CVE-2025-26607 CRITICAL POC
10.0 Feb 18

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity

Share

CVE-2026-40286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy