CVE-2026-23725

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:22

Type Values Removed Values Added
Summary
  • (es) WeGIA es un gestor web para instituciones benéficas. Antes de la 3.6.2, se identificó una vulnerabilidad de cross-site scripting (XSS) almacenado en el endpoint html/pet/adotantes/cadastro_adotante.PHP y html/pet/adotantes/informacao_adotantes.PHP de la aplicación WeGIA. La aplicación no sanea la entrada controlada por el usuario antes de renderizarla dentro de la tabla de Información de Adoptantes, lo que permite la inyección persistente de JavaScript. A cualquier usuario que visite la página se le ejecutará la carga útil automáticamente. Esta vulnerabilidad está corregida en la 3.6.2.

30 Jan 2026, 18:29

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
References () https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 - () https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 - Issue Tracking, Patch
References () https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 - () https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 - Release Notes
References () https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw - () https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw - Exploit, Mitigation, Vendor Advisory
First Time Wegia wegia
Wegia
CPE cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

16 Jan 2026, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2026-01-16 20:15

Updated : 2026-06-17 10:22


NVD link : CVE-2026-23725

Mitre link : CVE-2026-23725

CVE.ORG link : CVE-2026-23725


JSON object : View

Products Affected

wegia

  • wegia
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')