{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40283", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.035Z", "datePublished": "2026-04-17T20:03:14.016Z", "dateUpdated": "2026-04-20T14:58:05.365Z"}, "containers": {"cna": {"title": "WeGIA has stored XSS in profile_paciente.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:03:14.016Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the \"Nome\" field in the \"Informa\u00e7\u00f5es Pacientes\" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue."}], "source": {"advisory": "GHSA-x74c-gwj9-6cwr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:42:26.622428Z", "id": "CVE-2026-40283", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:58:05.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40283", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:42:26.622428Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:42:27.915Z"}}], "cna": {"title": "WeGIA has stored XSS in profile_paciente.php", "source": {"advisory": "GHSA-x74c-gwj9-6cwr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": "< 3.6.10"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the \"Nome\" field in the \"Informa\u00e7\u00f5es Pacientes\" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:03:14.016Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40283", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:58:05.365Z", "dateReserved": "2026-04-10T20:22:44.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T20:03:14.016Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "matchCriteriaId": "8597A30D-8861-445A-B401-4B25390C62A6", "versionEndExcluding": "3.6.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the \"Nome\" field in the \"Informa\u00e7\u00f5es Pacientes\" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue."}], "id": "CVE-2026-40283", "lastModified": "2026-04-27T15:17:29.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-17T20:16:35.793", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeGIA", "source": "cna", "vendor": "LabRedesCefetRJ"}, "product": "wegia", "vendor": "labredescefetrj"}], "analysis": {"en": {"generated_at": "2026-04-18T17:07:39.955957+00:00", "value": {"mitigation_remediation": ["Update to WeGIA 3.6.10 or any later release that includes the fix.", "Limit access to the patient information editing interface so that only trusted staff members can modify records.", "Implement server\u2011side sanitization or whitelisting for the Nome field to remove script tags or other potentially dangerous content if an upgrade cannot be performed immediately."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw exists in all releases of WeGIA distributed by LabRedesCefetRJ that precede version 3.6.10. Any deployment that has not applied the 3.6.10 update remains vulnerable. Versions 3.6.10 and later contain the fix that removes the insecure input handling for the Nome field.", "description_and_impact": "WeGIA is a web manager for charitable institutions that stores patient information. In versions earlier than 3.6.10 the application accepts user input for the \u201cNome\u201d (Name) field in the patient information page without proper sanitization. An authenticated user can therefore inject a malicious JavaScript payload that is persisted in the database and executed automatically when the patient record is viewed by any user. This stored cross\u2011site scripting flaw can allow the injected script to run in the context of the victim\u2019s browser, potentially affecting data integrity or exposing sensitive information to the attacker.", "risk_and_exploitability": "The CVSS score of 6.8 classifies this vulnerability as moderate severity. EPSS is not available at the present time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate user account with permission to edit patient records; once a malicious payload is stored, it will execute for every user who views the affected patient data. Consequently the attack surface is limited to authenticated users with editing privileges, but the impact spreads to any viewer of the record."}}}}, "created": "2026-04-17T23:00:12.395815+00:00", "updated": "2026-04-18T17:15:05.781585+00:00", "vendors": ["labredescefetrj", "labredescefetrj$PRODUCT$wegia"]}