CVE-2026-6990
Cross-Site Scripting in projeto-siga /sigawf Component
Publication date: 2026-04-25
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projeto-siga | siga | 11.0.3.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described is a stored Cross-Site Scripting (XSS) flaw that allows attackers to execute malicious JavaScript code within authenticated user sessions, potentially exposing sensitive data such as cookies and session information.
Such exposure of sensitive data and unauthorized code execution can lead to violations of data protection regulations like GDPR and HIPAA, which require the safeguarding of personal and sensitive information against unauthorized access and breaches.
Because the vulnerability enables attackers to access session data and perform actions on behalf of users, it undermines the confidentiality and integrity principles mandated by these standards.
Therefore, the presence of this vulnerability in the SIGA application could negatively impact compliance with common standards and regulations by increasing the risk of data breaches and unauthorized data exposure.
Can you explain this vulnerability to me?
CVE-2026-6990 is a Stored Cross-Site Scripting (XSS) vulnerability found in the SIGA application, specifically in the "Cadastro de Responsáveis" component at the path /sigawf/app/responsavel/novo.
The vulnerability occurs because the application fails to properly sanitize and encode user input in the "Nome" and "Descrição" fields. Attackers can inject malicious JavaScript code that is stored in the system and later executed automatically when the data is displayed on the listing page (/sigawf/app/responsavel/listar).
Technically, the injected code is inserted directly into the DOM inside an <a href> element without proper encoding or sanitization. Although the system tries to filter out complete tags like <script> and <img>, this filtering can be bypassed using incomplete tags combined with comment syntax, allowing JavaScript execution.
This means that malicious scripts run in the context of authenticated users, potentially exposing session data and allowing attackers to perform actions on behalf of users.
How can this vulnerability impact me? :
This vulnerability can have several impacts on users and the application:
- Persistent execution of malicious JavaScript code every time the affected page is loaded.
- Execution of malicious code within the context of authenticated users, inheriting their privileges.
- Exposure of sensitive data such as cookies, DOM elements, and session information.
- Potential for further exploitation, including performing unauthorized actions on behalf of the user and manipulating the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the input fields "Nome" and "Descrição" in the /sigawf/app/responsavel/novo page for stored cross-site scripting (XSS) payloads.
A practical detection method involves inserting a test payload such as `<img src=x onerror=alert(document.cookie)//` into these fields and then saving the record.
After saving, visiting the listing page /sigawf/app/responsavel/listar will reveal if the payload executes, indicating the presence of the vulnerability.
Commands or steps to detect this include:
- Access the vulnerable registration page: `/sigawf/app/responsavel/novo`.
- Insert the payload `<img src=x onerror=alert(document.cookie)//` into the "Nome" or "Descrição" fields.
- Save the record.
- Visit the listing page `/sigawf/app/responsavel/listar` and observe if an alert with the document cookie appears.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the injection and execution of malicious scripts by properly sanitizing and encoding user inputs.
Specifically, ensure that all input fields such as "Nome" and "Descrição" are validated and that any potentially dangerous characters or tags are neutralized before storing or rendering.
Implement contextual output encoding to prevent user-supplied content from being executed as code in the browser.
If possible, apply web application firewall (WAF) rules to detect and block suspicious payloads targeting these input fields.
Additionally, restrict user privileges to minimize the impact of any successful exploitation.
Since the project has not yet responded with a patch, consider monitoring the affected endpoints closely and educating users about the risk.