CVE-2026-40286
Stored XSS in WeGIA Member Registration Allows Persistent Script Execution
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.6.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in WeGIA, a web manager for charitable institutions, in versions prior to 3.6.10. It occurs in the 'Member Registration' function where an attacker can inject malicious script code into the 'Member Name' field. This script is then stored persistently in the database and executed whenever a user visits certain URLs, potentially compromising user interactions.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can execute malicious scripts in the context of users visiting affected pages. This can lead to unauthorized actions such as hijacking user sessions, defacing web content, or redirecting users to malicious sites. Since the vulnerability does not affect confidentiality or availability but impacts integrity, it can undermine trust and security of user interactions.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in WeGIA version 3.6.10. To mitigate this vulnerability, you should upgrade your WeGIA installation to version 3.6.10 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Member Registration function of WeGIA versions prior to 3.6.10. This type of vulnerability can lead to unauthorized script execution in users' browsers, potentially compromising user data integrity and security.
While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, Stored XSS vulnerabilities can impact compliance by exposing personal data to unauthorized access or manipulation, which may violate data protection requirements under these regulations.
Therefore, organizations using affected versions of WeGIA might face increased risk of non-compliance with data protection standards if this vulnerability is exploited.