CVE-2026-40283
Published: 17 April 2026
Summary
CVE-2026-40283 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Wegia Wegia. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input sanitization in the 'Nome' field that allowed authenticated users to inject and store malicious JavaScript.
Prevents execution of stored XSS payloads by filtering or encoding output when rendering patient information in viewers' browsers.
Ensures timely flaw remediation by applying the patch to version 3.6.10, eliminating the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables persistent injection and execution of arbitrary JavaScript in victim browsers (T1059.007) and directly facilitates session hijacking through cookie theft as described.
NVD Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored…
more
and executed when the patient information is viewed. Version 3.6.10 fixes the issue.
Deeper analysisAI
CVE-2026-40283 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting WeGIA versions prior to 3.6.10. WeGIA is a web manager for charitable institutions. The issue enables an authenticated user to inject malicious JavaScript via the "Nome" field on the "Informações Pacientes" page, where the payload is persistently stored in the database and executed in the browser context whenever the patient information is viewed by any user.
The vulnerability has a CVSS v3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N), indicating exploitation over the network with low attack complexity, requiring high privileges, no user interaction, and scope change with high confidentiality impact. An authenticated attacker with sufficient privileges can inject the payload, which executes for subsequent viewers of the patient data, potentially enabling session hijacking, data exfiltration, or other client-side attacks against administrative or other users accessing the page.
The GitHub security advisory (GHSA-x74c-gwj9-6cwr) at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr confirms the details and states that upgrading to WeGIA version 3.6.10 resolves the vulnerability by addressing the improper input sanitization in the affected field.
Details
- CWE(s)