CVE-2026-23725 MEDIUM

CVE-2026-23725: WeGIA Stored Cross-Site Scripting (XSS) – nome Parameter on Adopters Information Page

Vendor Labredescefetrj
Product WeGIA
Weakness CWE-79 · XSS
Published January 16, 2026
Last update January 16, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2.

Key dates

02Disclosure timeline

January 16, 2026 CVE published
January 16, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31462 WordPress CGM Event Calendar plugin <= 0.8.5 - Cross Site Scripting (XSS) Vulnerability CVE-2021-41183 XSS in `*Text` options of the Datepicker widget CVE-2024-9207 BuddyPress Docs <= 2.2.3 - Reflected Cross-Site Scripting CVE-2025-2836 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting CVE-2024-30195 WordPress New RoyalSlider plugin <= 3.4.2 - Reflected Cross Site Scripting (XSS) vulnerability