{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40286", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.035Z", "datePublished": "2026-04-17T20:27:59.131Z", "dateUpdated": "2026-04-20T15:49:44.569Z"}, "containers": {"cna": {"title": "WeGIA has Cross-Site Scripting in Controle de Contribui\u00e7\u00e3o", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-42rc-rvrx-cmmw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-42rc-rvrx-cmmw"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:27:59.131Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar S\u00f3cio) function. By injecting a payload into the 'Member Name' (Nome S\u00f3cio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue."}], "source": {"advisory": "GHSA-42rc-rvrx-cmmw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:49:30.965027Z", "id": "CVE-2026-40286", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:49:44.569Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40286", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:49:30.965027Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:49:37.840Z"}}], "cna": {"title": "WeGIA has Cross-Site Scripting in Controle de Contribui\u00e7\u00e3o", "source": {"advisory": "GHSA-42rc-rvrx-cmmw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": "< 3.6.10"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-42rc-rvrx-cmmw", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-42rc-rvrx-cmmw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar S\u00f3cio) function. By injecting a payload into the 'Member Name' (Nome S\u00f3cio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:27:59.131Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40286", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:49:44.569Z", "dateReserved": "2026-04-10T20:22:44.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T20:27:59.131Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar S\u00f3cio) function. By injecting a payload into the 'Member Name' (Nome S\u00f3cio) field, the script is persistently stored in the database. Consequently, the payload is executed whenever a user navigates to certain URL. Version 3.6.10 fixes the issue."}], "id": "CVE-2026-40286", "lastModified": "2026-04-20T19:02:18.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:34.430", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-42rc-rvrx-cmmw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeGIA", "source": "cna", "vendor": "LabRedesCefetRJ"}, "product": "wegia", "vendor": "labredescefetrj"}], "analysis": {"en": {"generated_at": "2026-04-18T08:59:54.086423+00:00", "value": {"mitigation_remediation": ["Upgrade WeGIA to version 3.6.10 or later to eliminate the stored XSS flaw", "Ensure that the new release properly sanitizes or encodes all user\u2011supplied data before storing or rendering it, preventing scripts from being embedded in the database", "Deploy a strong Content Security Policy that blocks inline scripting and restricts script execution to trusted origins, minimizing the impact if a similar issue is introduced in the future"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WeGIA web manager produced by LabRedesCefetRJ. Versions earlier than 3.6.10 are impacted; version 3.6.10 and later contain the fix.", "description_and_impact": "A stored Cross\u2011Site Scripting flaw was discovered in the Member Registration function of WeGIA. By entering a malicious script into the Member Name field, the payload is permanently saved to the database and subsequently executed whenever a user visits certain URLs. Consequently, an attacker that can insert such a payload can run arbitrary JavaScript code in the context of other users\u2019 browsers, potentially leading to session hijacking, credential theft, or the execution of malicious actions on behalf of those users.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, and the EPSS score is not available. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the ability to submit data to the Member Registration form, after which the script is stored and later rendered to other users visiting affected pages\u2014an attack vector that does not necessitate additional privileges beyond registering a member or at least having write access to that form."}}}}, "created": "2026-04-17T21:30:28.227178+00:00", "updated": "2026-04-18T09:00:05.905625+00:00", "vendors": ["labredescefetrj", "labredescefetrj$PRODUCT$wegia"]}