CVE-2026-42872 Overview
CVE-2026-42872 is a reflected Cross-Site Scripting (XSS) vulnerability in WeGIA, a web manager used by charitable institutions. The flaw resides in lista_arquivos_etapa.php and stems from improper handling of the id_processo parameter. WeGIA embeds the parameter directly into the HTML response without sanitization, enabling attackers to inject arbitrary JavaScript. Successful exploitation runs script in the victim's browser session and can lead to session hijacking, credential theft, or unauthorized actions performed as the authenticated user. The maintainers fixed the issue in WeGIA version 3.7.0. The vulnerability is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser, enabling session theft and impersonation of administrative users.
Affected Products
- WeGIA versions prior to 3.7.0
- WeGIA component: lista_arquivos_etapa.php
- Vulnerable parameter: id_processo
Discovery Timeline
- 2026-05-11 - CVE-2026-42872 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42872
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the WeGIA application's lista_arquivos_etapa.php endpoint. The script reads the id_processo HTTP parameter and renders it back into the HTML response without applying output encoding or input validation. Because the value is interpolated into the page context directly, an attacker-controlled payload becomes part of the served document. When a victim loads a crafted URL, the injected JavaScript executes under the origin of the WeGIA instance.
Exploitation requires user interaction, typically through a phishing link or an attacker-controlled page that triggers navigation to the malicious URL. The reflected nature of the flaw means the payload is not persisted server-side but executes on each crafted request. The scope changes because injected script runs with access to the WeGIA session context, allowing the attacker to read cookies, issue authenticated requests, or manipulate the DOM.
Root Cause
The root cause is the absence of contextual output encoding when the id_processo GET parameter is written into the HTML body. WeGIA does not apply HTML entity encoding, nor does it validate the parameter against an expected numeric format. PHP applications commonly require htmlspecialchars() or equivalent escaping on any user-controlled value reflected into markup. The missing sanitization aligns with [CWE-79].
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a URL targeting lista_arquivos_etapa.php with a JavaScript payload in the id_processo query string. The attacker then delivers the link by email, chat, or a malicious page. When an authenticated WeGIA user visits the link, the browser executes the injected script in the application's origin, exposing session cookies and user actions to attacker control. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-42872
Indicators of Compromise
- Requests to lista_arquivos_etapa.php containing HTML or script characters (<, >, script, onerror, onload) in the id_processo parameter.
- Unusual outbound requests from user browsers following access to crafted WeGIA URLs, indicating possible session token exfiltration.
- Web server access logs showing id_processo values that are not numeric identifiers.
Detection Strategies
- Inspect web server and reverse proxy logs for query strings targeting lista_arquivos_etapa.php with non-alphanumeric id_processo content.
- Deploy web application firewall (WAF) rules that block reflected XSS payload patterns in GET parameters.
- Correlate authentication events with suspicious referrer headers pointing to external attacker-controlled domains.
Monitoring Recommendations
- Enable verbose HTTP access logging for the WeGIA application and retain logs for forensic review.
- Monitor for spikes in failed authentication or unexpected administrative actions following user interaction with external links.
- Alert on Content Security Policy (CSP) violation reports if CSP is deployed in front of WeGIA.
How to Mitigate CVE-2026-42872
Immediate Actions Required
- Upgrade WeGIA to version 3.7.0 or later, which contains the fix for the id_processo parameter handling.
- Audit web server logs for prior requests to lista_arquivos_etapa.php containing suspicious id_processo payloads.
- Invalidate active WeGIA sessions and require re-authentication after patching.
Patch Information
The vulnerability is fixed in WeGIA 3.7.0. Patch details and the corrected handling of id_processo are documented in the GitHub Security Advisory GHSA-gp6v-f6q5-wq62.
Workarounds
- Deploy a WAF rule that blocks requests to lista_arquivos_etapa.php where id_processo contains characters outside the expected numeric range.
- Enforce a strict Content Security Policy that disallows inline script execution to reduce the impact of reflected XSS.
- Train administrative users to avoid clicking unsolicited links pointing to the WeGIA instance.
# Example WAF rule (ModSecurity) restricting id_processo to numeric values
SecRule ARGS:id_processo "!@rx ^[0-9]+$" \
"id:1042872,phase:2,deny,status:400,\
msg:'CVE-2026-42872: Non-numeric id_processo blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
