CVE-2026-35399
Stored XSS in WeGIA Backup Filename Allows Code Execution
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.6.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored XSS vulnerability in WeGIA prior to version 3.6.9 allows attackers to inject malicious scripts that can compromise session data or execute unauthorized actions on behalf of users.
Such a vulnerability can lead to unauthorized access or disclosure of sensitive user information, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data.
Therefore, if exploited, this vulnerability could result in violations of these standards due to failure to adequately protect user data and maintain secure application behavior.
Can you explain this vulnerability to me?
The vulnerability in WeGIA, a web manager for charitable institutions, is a stored Cross-Site Scripting (XSS) issue present prior to version 3.6.9.
An attacker can exploit this by injecting malicious scripts through a backup filename, which is then stored and later executed in the victim's browser.
This allows unauthorized execution of malicious code, potentially compromising session data or enabling actions to be performed on behalf of the user.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of malicious scripts in your browser when interacting with the affected WeGIA application.
As a result, attackers could compromise your session data, steal sensitive information, or perform actions on your behalf without your consent.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade WeGIA to version 3.6.9 or later, where the stored XSS vulnerability through backup filenames has been fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for backup files with suspicious or malicious filenames containing script code, especially those uploaded to the import endpoint (importar_dump.php).
A proof-of-concept exploit uses a specially crafted gzip backup file with a filename containing an XSS payload, such as `../../../e/e/wegia`);alert(9999);;'.dump.tar.gz`.
To detect exploitation attempts or presence of malicious backup files, you can list backup files on the server and look for filenames containing suspicious characters or script tags.
- Use commands like `ls -l` or `find` on the backup directory to identify unusual filenames.
- Example: `find /path/to/backup/ -type f -name '*alert*'` to find files with 'alert' in the name.
- Monitor HTTP requests to the import endpoint (`importar_dump.php`) for uploads of files with suspicious names.
Additionally, reviewing web server logs for POST requests to `importar_dump.php` with unusual filenames can help detect attempts to exploit this vulnerability.