Platform
php
Component
wegia
Fixed in
3.6.11
CVE-2026-40284 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in WeGIA, a web manager for charitable institutions. This vulnerability allows an authenticated user to inject malicious JavaScript code, potentially leading to session hijacking, defacement, or redirection. The vulnerability affects versions 3.6.0 through 3.6.10, and a patch is available in version 3.6.10.
An attacker exploiting this XSS vulnerability can inject arbitrary JavaScript code into the 'Destinatário' field within WeGIA. This payload is then stored and executed whenever another user views the dispatch page. The impact is significant because the malicious script can affect multiple users, not just the attacker. Attackers could steal session cookies, redirect users to phishing sites, or even modify the content displayed on the WeGIA platform. This could compromise sensitive data related to charitable donations and beneficiary information, leading to reputational damage and potential financial loss for the institution.
CVE-2026-40284 was publicly disclosed on 2026-04-17. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for widespread impact if exploited.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40284 is to upgrade WeGIA to version 3.6.10 or later, which includes the fix for this vulnerability. If immediate upgrading is not possible, consider implementing strict input validation and output encoding on the 'Destinatário' field to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review WeGIA's configuration and access controls to minimize the potential attack surface. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the 'Destinatário' field and verifying that it is properly sanitized and not executed.
Update WeGIA to version 3.6.10 or later to mitigate the XSS vulnerability. The update corrects how data from the 'Destinatário' field is handled, preventing the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40284 is a Stored Cross-Site Scripting (XSS) vulnerability in WeGIA versions 3.6.0 through 3.6.10, allowing authenticated users to inject malicious JavaScript.
You are affected if you are using WeGIA versions 3.6.0 through 3.6.10. Upgrade to version 3.6.10 to mitigate the risk.
Upgrade WeGIA to version 3.6.10. As a temporary workaround, implement input validation and output encoding on the 'Destinatário' field.
Currently, there are no confirmed reports of active exploitation, but it's crucial to patch promptly due to the potential impact.
Refer to the WeGIA official website or security advisories for the latest information and updates regarding CVE-2026-40284.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.