CVE-2026-42870 | THREATINT

Description

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a Stored Cross-Site Scripting (XSS) flaw was identified at the following endpoint: funcionario/profile_funcionario.php?id_funcionario=2. By injecting a malicious payload into the 'Description' (Descrição) field and saving the profile, the script becomes persistently stored. The payload is subsequently executed whenever the profile page is accessed. This vulnerability is fixed in 3.7.0.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-11 | Updated 2026-05-11 | Assigner GitHub_M

MEDIUM: 6.4CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 3.7.0

affected

References

github.com/.../WeGIA/security/advisories/GHSA-q6jg-hfqv-882f exploit

github.com/.../WeGIA/security/advisories/GHSA-q6jg-hfqv-882f

cve.org (CVE-2026-42870)

nvd.nist.gov (CVE-2026-42870)

Download JSON