CVE-2026-42872 MEDIUM

CVE-2026-42872: WeGIA: Reflected XSS in listar_arquivos_etapa.php

Vendor Labredescefetrj

Product WeGIA

Weakness CWE-79 · XSS

Published May 11, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting (XSS) vulnerability exists in lista_arquivos_etapa.php due to improper handling of user-supplied input. The id_processo parameter is directly embedded into the HTML without sanitization, allowing attackers to inject arbitrary JavaScript. This can lead to session hijacking, credential theft, or execution of malicious actions in the context of the victim's browser. This vulnerability is fixed in 3.7.0.

Key dates

Disclosure timeline

May 11, 2026 CVE published

May 11, 2026 Record updated