Platform
php
Component
wegia
Fixed in
3.6.3
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in WeGIA, a Web Manager for Charitable Institutions, affecting versions up to 3.6.2. This flaw allows attackers to inject malicious JavaScript code into a user's browser session, potentially leading to account compromise and data theft. The vulnerability resides within the html/memorando/inseredespacho.php file, specifically in how it handles the idmemorando GET parameter. A fix is available in version 3.6.2.
The impact of this XSS vulnerability is significant. An attacker can leverage it to execute arbitrary JavaScript code within the context of a victim's browser session. This can be used to steal session cookies, redirect users to malicious websites, deface the WeGIA interface, or even execute further attacks against the user's system. The lack of authentication required to exploit the vulnerability expands the potential attack surface, making it accessible to a wide range of threat actors. Successful exploitation could compromise sensitive donor information, financial records, and other confidential data managed within the WeGIA system.
This vulnerability was publicly disclosed on 2026-01-16. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the CRITICAL CVSS score suggest a high probability of exploitation. The lack of authentication requirements makes it a particularly attractive target for opportunistic attackers. No KEV listing is currently available.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23722 is to immediately upgrade WeGIA to version 3.6.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests containing suspicious JavaScript code in the idmemorando parameter. Input validation and output encoding on the server-side, specifically within the inseredespacho.php file, can also help prevent XSS attacks. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the id_memorando parameter and verifying that it does not execute.
Update WeGIA to version 3.6.2 or later. This version contains the fix for the XSS vulnerability. Download the latest version from the vendor's official website or through the provided update channels.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23722 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA versions up to 3.6.2, allowing attackers to inject malicious JavaScript code.
You are affected if you are using WeGIA version 3.6.2 or earlier. Immediately check your version and apply the necessary updates.
Upgrade WeGIA to version 3.6.2 or later. Consider implementing a WAF rule to filter malicious requests as an interim measure.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks.
Refer to the WeGIA website and security advisories for the official announcement and detailed remediation steps.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.