CVE-2026-23725 is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-79 that affects the WeGIA web management system developed by LabRedesCefetRJ. The vulnerability exists in versions prior to 3.6.2 within the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoints. These endpoints handle adopter information for charitable institutions but fail to properly sanitize or neutralize user-supplied input before rendering it in the Adopters Information table. This improper input handling allows an attacker to inject persistent malicious JavaScript code that executes automatically whenever any user accesses the affected pages. The vulnerability does not require authentication or privileges to exploit, but user interaction is necessary as the victim must visit the compromised page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and limited scope (S:C), resulting in a medium severity score of 5.3. Although no known exploits are reported in the wild, the persistent nature of the XSS can lead to session hijacking, credential theft, defacement, or distribution of malware to users of the application. The vendor has addressed the issue in version 3.6.2 by implementing proper input sanitization and output encoding to neutralize malicious scripts. Organizations using WeGIA should upgrade promptly to mitigate this risk.

For European organizations, especially charitable institutions using WeGIA, this vulnerability poses a risk of client-side attacks such as session hijacking, theft of sensitive information, and unauthorized actions performed on behalf of users. The persistent nature of the XSS means that once injected, the malicious script affects all users visiting the compromised pages, potentially leading to widespread impact within the organization. This can damage organizational reputation, lead to data breaches, and disrupt operations. Since the vulnerability requires no authentication, attackers can exploit it remotely and anonymously, increasing the threat surface. The impact is particularly significant for organizations handling sensitive donor or adopter information, as attackers could manipulate or steal this data. Although no active exploitation is reported, the medium severity score suggests that timely patching is critical to prevent potential attacks. Additionally, regulatory compliance under GDPR may be affected if personal data is compromised through this vulnerability.

1. Immediate upgrade of WeGIA installations to version 3.6.2 or later, where the vulnerability is fixed. 2. Implement Web Application Firewall (WAF) rules to detect and block malicious scripts targeting the vulnerable endpoints as a temporary protective measure. 3. Conduct thorough input validation and output encoding on all user-supplied data, especially in custom or legacy modules interfacing with WeGIA. 4. Perform regular security audits and penetration testing focusing on XSS and other injection vulnerabilities within the application. 5. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 6. Monitor web server logs and application behavior for unusual activity indicative of attempted exploitation. 7. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in the browser. 8. Maintain an incident response plan to quickly address any detected exploitation attempts.