The vulnerability CVE-2026-23725 affects the WeGIA web management system developed by LabRedesCefetRJ, specifically versions prior to 3.6.2. It is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, arising from improper neutralization of user input during web page generation. The affected endpoints, html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php, fail to sanitize user-supplied data before embedding it into the Adopters Information table. This allows an attacker to inject persistent malicious JavaScript code that executes automatically when any user accesses these pages. The attack vector is network-based with low attack complexity and does not require privileges or authentication, but does require the victim to visit the compromised page (user interaction). The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. The CVSS 4.0 score of 5.3 reflects a medium severity, with limited scope and no known exploits in the wild. The issue is resolved in WeGIA version 3.6.2 by implementing proper input sanitization and output encoding to neutralize malicious scripts. Organizations using WeGIA should apply this update promptly to prevent exploitation.

For European organizations, especially charitable institutions using the WeGIA platform, this vulnerability poses a risk of client-side attacks that could compromise user sessions, steal sensitive information, or deface web content. Given that the vulnerability allows persistent JavaScript injection, attackers could target donors, volunteers, or staff accessing the affected pages, potentially leading to phishing, credential theft, or unauthorized actions performed under the victim's identity. This could damage organizational reputation, lead to data breaches, and disrupt operations. Although no known exploits are reported, the ease of exploitation and the public availability of the vulnerability increase the risk of future attacks. The impact is more pronounced for organizations with high web traffic or those handling sensitive personal data through the affected endpoints. Additionally, regulatory compliance under GDPR mandates protection of personal data, and exploitation of this vulnerability could result in violations and penalties.

1. Immediate upgrade of WeGIA installations to version 3.6.2 or later, where the vulnerability is fixed. 2. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the affected endpoints, focusing on typical XSS attack patterns. 3. Conduct regular security audits and code reviews to ensure proper input validation and output encoding practices are enforced beyond the patched version. 4. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 5. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers accessing the application. 6. Monitor logs for unusual activity or repeated access to the vulnerable endpoints that could indicate exploitation attempts. 7. If upgrading immediately is not feasible, consider temporarily disabling or restricting access to the affected pages to reduce exposure.