CVE-2026-42870: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a Stored Cross-Site Scripting (XSS) flaw was identified at the following endpoint: funcionario/profile_funcionario.php?id_funcionario=2. By injecting a malicious payload into the 'Description' (Descrição) field and saving the profile, the script becomes persistently stored. The payload is subsequently executed whenever the profile page is accessed. This vulnerability is fixed in 3.7.0.
AI Analysis
Technical Summary
WeGIA versions before 3.7.0 contain a stored XSS vulnerability (CWE-79) in the 'Description' field of the funcionario/profile_funcionario.php endpoint. An attacker can inject malicious scripts that are saved persistently and executed upon viewing the profile page. This vulnerability allows for cross-site scripting attacks that could lead to script execution in the context of the victim's browser. The vulnerability is resolved in version 3.7.0 of WeGIA.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of users viewing the affected profile page, potentially leading to session hijacking, defacement, or other malicious actions within the web application context. The vulnerability is rated medium severity with a CVSS score of 6.4. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Upgrade WeGIA to version 3.7.0 or later, where this stored XSS vulnerability is fixed. Since the product is not a cloud service and no official patch advisory is provided, applying the vendor's fixed version is the recommended remediation. Patch status is inferred from the version fix; check the vendor's official channels for confirmation and further guidance.
CVE-2026-42870: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a Stored Cross-Site Scripting (XSS) flaw was identified at the following endpoint: funcionario/profile_funcionario.php?id_funcionario=2. By injecting a malicious payload into the 'Description' (Descrição) field and saving the profile, the script becomes persistently stored. The payload is subsequently executed whenever the profile page is accessed. This vulnerability is fixed in 3.7.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WeGIA versions before 3.7.0 contain a stored XSS vulnerability (CWE-79) in the 'Description' field of the funcionario/profile_funcionario.php endpoint. An attacker can inject malicious scripts that are saved persistently and executed upon viewing the profile page. This vulnerability allows for cross-site scripting attacks that could lead to script execution in the context of the victim's browser. The vulnerability is resolved in version 3.7.0 of WeGIA.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of users viewing the affected profile page, potentially leading to session hijacking, defacement, or other malicious actions within the web application context. The vulnerability is rated medium severity with a CVSS score of 6.4. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Upgrade WeGIA to version 3.7.0 or later, where this stored XSS vulnerability is fixed. Since the product is not a cloud service and no official patch advisory is provided, applying the vendor's fixed version is the recommended remediation. Patch status is inferred from the version fix; check the vendor's official channels for confirmation and further guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T18:49:06.710Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a022c38cbff5d86104f7cd1
Added to database: 5/11/2026, 7:21:28 PM
Last enriched: 5/11/2026, 7:38:25 PM
Last updated: 5/12/2026, 3:51:31 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.