CVE-2026-35399 HIGH

CVE-2026-35399: WeGIA has Stored XSS in backup file names

Vendor Labredescefetrj
Product WeGIA
Weakness CWE-79 · XSS
Published April 6, 2026
Last update April 7, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing actions on behalf of the user. This vulnerability is fixed in 3.6.9.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 7, 2026 Record updated