CVE-2026-23725
MEDIUMWeGIA < 3.6.2 - Stored Cross-Site Scripting in Adopters Information Table
Title source: llmDescription
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2.
References (3)
Core 3
Core References
Exploit, Mitigation, Vendor Advisory x_refsource_confirm
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw
Issue Tracking, Patch x_refsource_misc
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
Release Notes x_refsource_misc
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
Scores
CVSS v3
5.4
EPSS
0.0002
EPSS Percentile
4.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
wegia/wegia
< 3.6.2
Published
Jan 16, 2026
Tracked Since
Feb 18, 2026