CVE-2026-23722 | THREATINT

Description

WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2.

PUBLISHED Reserved 2026-01-15 | Published 2026-01-16 | Updated 2026-01-16 | Assigner GitHub_M

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 3.6.2

affected

References

github.com/.../WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf

cve.org (CVE-2026-23722)

nvd.nist.gov (CVE-2026-23722)

Download JSON