3.6.11
CVE-2026-40286 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in WeGIA, a web manager for charitable institutions. This vulnerability allows attackers to inject malicious scripts that are persistently stored in the database, leading to potential compromise of user accounts and data integrity. The vulnerability affects versions 3.6.0 through 3.6.9. A patch is available in version 3.6.10.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into the 'Member Name' field during member registration. This injected script is then stored in the database and executed whenever a user accesses pages displaying member information. This could lead to various malicious actions, including session hijacking, redirection to phishing sites, defacement of the WeGIA interface, and theft of sensitive user data such as login credentials or personal information. The blast radius extends to all users who interact with the affected functionality, potentially impacting the entire charitable institution and its members. While no specific real-world exploitation has been publicly reported, the ease of exploitation and potential impact make this a high-priority concern.
CVE-2026-40286 was published on April 17, 2026. Its severity is rated as HIGH with a CVSS score of 7.5. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40286 is to immediately upgrade WeGIA to version 3.6.10, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization on the 'Member Name' field can help prevent malicious scripts from being stored in the database. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update WAF rules to ensure they are effective against known XSS attack patterns. After upgrading to version 3.6.10, verify the fix by attempting to register a new member with a known malicious script in the 'Member Name' field; the script should not be executed.
Actualice WeGIA a la versión 3.6.10 o posterior para mitigar la vulnerabilidad de XSS. La actualización corrige la forma en que se manejan los datos de entrada en el campo 'Nombre Sócio', evitando el almacenamiento y ejecución de scripts maliciosos.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Stored Cross-Site Scripting (XSS) vulnerability in WeGIA, allowing attackers to inject malicious scripts via the 'Member Name' field.
If you are using WeGIA versions 3.6.0 through 3.6.9, you are vulnerable. Upgrade to 3.6.10 immediately.
Upgrade WeGIA to version 3.6.10. As a temporary workaround, implement input validation and WAF rules.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but it remains a significant risk.
Refer to the official WeGIA security advisory and the NVD entry for CVE-2026-40286 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.