Cyber Posture

CVE-2026-23722

CriticalPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 30.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the…

more

id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of user-supplied inputs like the id_memorando GET parameter to prevent injection of malicious JavaScript payloads.

SI-15 Information Output Filtering good match
prevent

SI-15 mandates filtering and encoding of reflected outputs in HTML to block arbitrary JavaScript execution in the victim's browser.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely remediation of the specific flaw in html/memorando/insere_despacho.php by applying the patch in WeGIA 3.6.2.

Security SummaryAI

CVE-2026-23722 is a reflected cross-site scripting (XSS) vulnerability affecting WeGIA, a web manager for charitable institutions, in versions prior to 3.6.2. The flaw resides in the html/memorando/insere_despacho.php file, where the application fails to properly sanitize or encode user-supplied input passed via the id_memorando GET parameter. This input is reflected into the HTML source, likely within a script block or attribute, enabling injection of arbitrary JavaScript or HTML. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-79.

Unauthenticated remote attackers can exploit this vulnerability by tricking users into visiting a maliciously crafted URL containing the payload in the id_memorando parameter. Upon access, the injected script executes in the context of the victim's browser session, potentially allowing attackers to steal sensitive data such as session cookies, perform unauthorized actions on the user's behalf, or deface the page.

The GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf details the issue and confirms that it is fixed in WeGIA version 3.6.2, recommending immediate upgrades to mitigate the risk.

Details

CWE(s)
CWE-79

Affected Products

wegia
wegia
≤ 3.6.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1491 Defacement Impact
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content.
attack.mitre.org →
Why these techniques?

Reflected XSS in public-facing web application enables exploitation of public-facing applications (T1190), theft of session cookies via injected JavaScript (T1539), and page defacement (T1491).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References