CVE-2026-40286
Received Received - Intake
Stored XSS in WeGIA Member Registration Allows Persistent Script Execution

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar SΓ³cio) function. By injecting a payload into the 'Member Name' (Nome SΓ³cio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40286
EUVD
EUVD-2026-23531
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wegia wegia to 3.6.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in WeGIA, a web manager for charitable institutions, in versions prior to 3.6.10. It occurs in the 'Member Registration' function where an attacker can inject malicious script code into the 'Member Name' field. This script is then stored persistently in the database and executed whenever a user visits certain URLs, potentially compromising user interactions.

Impact Analysis

The impact of this vulnerability is that an attacker can execute malicious scripts in the context of users visiting affected pages. This can lead to unauthorized actions such as hijacking user sessions, defacing web content, or redirecting users to malicious sites. Since the vulnerability does not affect confidentiality or availability but impacts integrity, it can undermine trust and security of user interactions.

Mitigation Strategies

The vulnerability is fixed in WeGIA version 3.6.10. To mitigate this vulnerability, you should upgrade your WeGIA installation to version 3.6.10 or later.

Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Member Registration function of WeGIA versions prior to 3.6.10. This type of vulnerability can lead to unauthorized script execution in users' browsers, potentially compromising user data integrity and security.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, Stored XSS vulnerabilities can impact compliance by exposing personal data to unauthorized access or manipulation, which may violate data protection requirements under these regulations.

Therefore, organizations using affected versions of WeGIA might face increased risk of non-compliance with data protection standards if this vulnerability is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart