Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) function. By injecting a payload into the 'Member Name' (Nome Sócio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue.
AnalysisAI
Stored Cross-Site Scripting in WeGIA 'Member Registration' function allows remote attackers to inject malicious JavaScript through the 'Member Name' field, achieving persistent code execution in victim browsers without authentication. The payload executes whenever users navigate to affected pages, enabling session hijacking, credential theft, or administrative action execution. Version 3.6.10 provides a vendor-released patch. No public exploit identified at time of analysis, though exploitation is straightforward given the unauthenticated attack vector (CVSS AV:N/PR:N).
Technical ContextAI
WeGIA (Web Manager for Charitable Institutions) is a PHP-based web application developed by LabRedesCefetRJ for managing non-profit organizations. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input in the 'Nome Sócio' (Member Name) database field is not sanitized before storage or output encoding before rendering. This allows JavaScript payloads to persist in the application's database and execute in the context of any user's browser session when viewing member records. The affected component is cpe:2.3:a:labredescefetrj:wegia versions prior to 3.6.10. Unlike reflected XSS, stored XSS persists across sessions and affects all users who view the poisoned data, making it particularly dangerous in multi-user administrative interfaces.
RemediationAI
Upgrade to WeGIA version 3.6.10 or later, which contains input validation and output encoding fixes for the Member Name field. The patch is available through the official GitHub repository at https://github.com/LabRedesCefetRJ/WeGIA. If immediate patching is not feasible, implement compensating controls: (1) restrict access to the member registration function to authenticated, trusted users only via web server access controls or application-level permissions - this prevents anonymous attackers from injecting payloads but limits legitimate registration workflows; (2) deploy a Web Application Firewall (WAF) with XSS signature detection to filter script tags in POST requests to registration endpoints - note this is bypassable with encoding techniques and adds latency; (3) implement Content Security Policy (CSP) headers with 'script-src self' to prevent inline JavaScript execution - this may break existing legitimate inline scripts requiring code refactoring. Verify the fix post-upgrade by testing script injection in the Member Name field and confirming proper HTML entity encoding in rendered output.
Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prio
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23531