CVE-2026-40283
Received Received - Intake
Stored XSS in WeGIA Patient Info Allows Script Injection

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informaçáes Pacientes" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40283
EUVD
EUVD-2026-23525
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wegia wegia to 3.6.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in WeGIA, a web manager for charitable institutions. In versions before 3.6.10, an authenticated user can inject malicious JavaScript code through the "Nome" field on the "Informaçáes Pacientes" page. This malicious code is then stored and executed whenever the patient information is viewed.

Impact Analysis

The vulnerability allows an authenticated user to execute malicious JavaScript in the context of other users viewing patient information. This can lead to unauthorized actions or data exposure within the application. Since the CVSS score indicates high confidentiality impact, sensitive data could be compromised, although integrity and availability are not affected.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade WeGIA to version 3.6.10 or later, as this version fixes the Stored Cross-Site Scripting (XSS) issue.

Detection Guidance

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in WeGIA versions prior to 3.6.10, exploitable by an authenticated user injecting malicious JavaScript via the "Nome" field on the "Informaçáes Pacientes" page.

To detect this vulnerability on your system, you should verify the version of WeGIA you are running. If it is earlier than 3.6.10, it is potentially vulnerable.

Since the vulnerability requires authentication and injection into a specific field, detection involves checking for suspicious or unexpected JavaScript code stored in the "Nome" field of patient information.

There are no specific commands provided in the available information to detect this vulnerability automatically.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40283. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart