CVE-2026-6990

LOW

projeto-siga novo cross site scripting

Title source: cna

Description

A vulnerability was found in projeto-siga siga 11.0.3.18. The affected element is an unknown function of the file /sigawf/app/responsavel/novo. Performing a manipulation of the argument Nome/Descrição results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

References (6)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/359542

[Signature, Permissions Required] https://vuldb.com/vuln/359542/cti

[Third Party Advisory] https://vuldb.com/submit/796647

[Issue Tracking] https://github.com/projeto-siga/siga/issues/2491

[Exploit] https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel

View Exploit ZIP pw:eip

[Product] https://github.com/projeto-siga/siga/

Scores

CVSS v3 3.5

EPSS 0.0001

EPSS Percentile 1.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (1)

projeto-siga/siga 11.0.3.18

Published Apr 25, 2026

Tracked Since Apr 25, 2026