CVE-2026-40282
Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover. Version 3.6.10 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WeGIA prior to 3.6.10 allows authenticated attackers to inject JavaScript via user name field, leading to session hijacking and account takeover.
Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability exists in WeGIA versions prior to 3.6.10. The application fails to properly sanitize or encode the user name field, which is displayed in system notifications. When an intercorrência is registered, a notification is generated that renders the user name without escaping, allowing injected code to execute in the browser [1].
Exploitation
An authenticated attacker can register a patient with a malicious payload (e.g., ``) in the name or surname field. After creating an intercorrência entry for that patient, any user who navigates to the Intercorrências notification page and views "Recentes" or "Histórico" will trigger the payload in their browser [1].
Impact
Successful exploitation enables arbitrary JavaScript execution in victims' browsers. An attacker can steal session cookies, perform actions on behalf of authenticated users, and potentially achieve full account takeover [1].
Mitigation
The vulnerability is fixed in WeGIA version 3.6.10. Users should upgrade immediately to prevent exploitation [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.