CVE-2026-23722 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the WeGIA web management system developed by LabRedesCefetRJ, primarily used by charitable institutions. The vulnerability resides in the html/memorando/insere_despacho.php script, where the id_memorando parameter received via HTTP GET requests is improperly neutralized before being reflected in the HTML output. Specifically, the application fails to sanitize or encode this user-supplied input, likely embedding it directly within a script block or an HTML attribute, which enables attackers to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious payload is delivered via a crafted URL that, when visited by a victim, executes in their browser context. This attack vector does not require any authentication or user interaction beyond visiting the malicious link, making it highly accessible to attackers. The vulnerability impacts confidentiality and integrity by allowing theft of session cookies, credentials, or execution of unauthorized actions on behalf of the user. The CVSS 3.1 score of 9.1 reflects its critical nature with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The issue was fixed in WeGIA version 3.6.2 by implementing proper input validation and output encoding. No public exploits have been reported yet, but the high severity and ease of exploitation make it a significant threat to affected deployments.

For European organizations, especially charitable institutions using WeGIA versions prior to 3.6.2, this vulnerability poses a severe risk. Successful exploitation can lead to unauthorized disclosure of sensitive data such as donor information, internal communications, or user credentials, undermining trust and compliance with data protection regulations like GDPR. Attackers could hijack user sessions, impersonate legitimate users, or perform unauthorized actions within the application, potentially causing reputational damage and operational disruption. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of widespread attacks. The impact on data confidentiality and integrity is critical, though availability is not directly affected. Given the sensitive nature of charitable organizations' data and their reliance on web-based management tools, exploitation could also lead to financial fraud or manipulation of charitable activities.

European organizations should immediately upgrade WeGIA to version 3.6.2 or later, where the vulnerability is patched. In addition to patching, implement strict input validation and output encoding on all user-supplied data, especially parameters reflected in HTML or script contexts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regularly audit web application code for injection flaws and conduct penetration testing focused on XSS vectors. Educate users about the risks of clicking on suspicious links and consider deploying web application firewalls (WAFs) configured to detect and block reflected XSS payloads targeting known vulnerable endpoints. Monitoring logs for unusual URL patterns or repeated access to the vulnerable endpoint can help detect exploitation attempts early. Finally, ensure incident response plans include procedures for handling XSS incidents to minimize damage.