CVE 9.1 CRITICAL

WeGIA has a Reflected Cross-Site Scripting (XSS) vulnerability allowing arbitrary code execution and UI redressing._CVE-2026-23722

January 16, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2.

AI Analysis

Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA system, allowing arbitrary code execution and UI redressing.

Basic Information

ID CVE-2026-23722

Source GitHub_M

Published Jan 16, 2026 at 19:29

Affected Product

Vendor LabRedesCefetRJ

Product WeGIA

Version < 3.6.2

Affected Versions LabRedesCefetRJ WeGIA < 3.6.2

CWE Classification

CWE-79

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor LabRedesCefetRJ

Product WeGIA

Version < 3.6.2

References

github.com /LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf

{
    "lastseen": "",
    "description": "WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2.",
    "published": "2026-01-16T19:29:53.736Z",
    "modified": "2026-01-16T19:29:53.736Z",
    "type": "cve",
    "title": "WeGIA has a Reflected Cross-Site Scripting (XSS) vulnerability allowing arbitrary code execution and UI redressing.",
    "source": "GitHub_M",
    "references": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf",
    "id": "CVE-2026-23722",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "LabRedesCefetRJ WeGIA < 3.6.2",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WeGIA",
    "version": "< 3.6.2",
    "vendor": "LabRedesCefetRJ",
    "ai_description": "Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA system, allowing arbitrary code execution and UI redressing.",
    "ai_severity": "Critical",
    "ai_vendor": "LabRedesCefetRJ",
    "ai_product": "WeGIA",
    "ai_version": "< 3.6.2",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply