CVE-2026-40282

MEDIUM

WeGIA has stored XSS in intercorrencia_visualizar.php

Title source: cna

Description

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover. Version 3.6.10 fixes the issue.

References (1)

[X_Refsource_Confirm] https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r6h8-7vxv-q8pp

Scores

CVSS v4 6.4

EPSS 0.0006

EPSS Percentile 19.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

LabRedesCefetRJ/WeGIA < 3.6.10

Published Apr 17, 2026

Tracked Since Apr 18, 2026