Reflected Cross-Site Scripting in WeGIA Web Manager for Charitable Institutions
CVE-2026-42872

6.1MEDIUM

Key Information:

Vendor: Labredescefetrj
Status: Wegia
Vendor: CVE Published:; 11 May 2026

🔔 Create Labredescefetrj Vulnerability Alert

What is CVE-2026-42872?

The WeGIA web manager for charitable institutions has a reflected Cross-Site Scripting vulnerability in 'lista_arquivos_etapa.php' that affects versions prior to 3.7.0. This issue arises from improper handling of user-supplied input, where the 'id_processo' parameter is embedded directly into the HTML without appropriate sanitization. Malicious actors can exploit this flaw to inject arbitrary JavaScript, resulting in significant risks such as session hijacking, credential theft, or the execution of harmful actions within the victim's browser environment. Users are advised to upgrade to version 3.7.0 or later to mitigate this risk.

Affected Version(s)

WeGIA < 3.7.0

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42872 Data

JSON