Plattform
php
Komponente
wegia
Behoben in
3.6.11
CVE-2026-40286 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in WeGIA, a web manager for charitable institutions. This vulnerability allows attackers to inject malicious scripts that are persistently stored in the database, leading to potential compromise of user accounts and data integrity. The vulnerability affects versions 3.6.0 through 3.6.9. A patch is available in version 3.6.10.
Successful exploitation of CVE-2026-40286 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to a variety of malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the WeGIA web interface. The stored nature of the XSS means the payload persists until removed, potentially affecting numerous users over time. The impact is amplified if WeGIA is used to manage sensitive member data, as attackers could potentially steal this information.
CVE-2026-40286 was publicly disclosed on 2026-04-17. No public proof-of-concept (PoC) code has been identified as of this writing. The EPSS score is pending evaluation. There are no indications of active exploitation campaigns targeting this vulnerability at this time.
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40286 is to immediately upgrade WeGIA to version 3.6.10 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'Member Name' field to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review WeGIA logs for suspicious activity, particularly related to the 'Member Registration' function.
Actualice WeGIA a la versión 3.6.10 o posterior para mitigar la vulnerabilidad de XSS. La actualización corrige la forma en que se manejan los datos de entrada en el campo 'Nombre Sócio', evitando el almacenamiento y ejecución de scripts maliciosos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Stored Cross-Site Scripting (XSS) vulnerability in WeGIA, allowing attackers to inject malicious scripts via the 'Member Name' field.
If you are using WeGIA versions 3.6.0 through 3.6.9, you are vulnerable. Upgrade to 3.6.10 immediately.
Upgrade WeGIA to version 3.6.10. As a temporary workaround, implement input validation and WAF rules.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but it remains a significant risk.
Refer to the official WeGIA security advisory and the NVD entry for CVE-2026-40286 for detailed information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.