CVE-2026-45025 Overview
CVE-2026-45025 is a Stored Cross-Site Scripting (XSS) vulnerability in WeGIA, a web manager for charitable institutions. The flaw affects all versions prior to 3.7.3 and resides in the html/atendido/etapa_processo.php page ("Etapas de um Processo"). An authenticated user can inject malicious JavaScript that executes in the browser of any user who later visits the page. Successful exploitation enables session hijacking and account takeover. The issue is classified under CWE-79: Improper Neutralization of Input During Web Page Generation. The maintainers fixed the vulnerability in WeGIA release 3.7.3.
Critical Impact
Authenticated attackers can persist malicious JavaScript in the "Etapas de um Processo" workflow, hijacking sessions and taking over accounts when other users access the page.
Affected Products
- WeGIA web manager for charitable institutions
- All versions prior to 3.7.3
- Fixed in WeGIA 3.7.3
Discovery Timeline
- 2026-05-11 - CVE-2026-45025 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45025
Vulnerability Analysis
The vulnerability is a stored XSS issue in the etapa_processo.php endpoint, which renders the "Etapas de um Processo" (process steps) view inside the html/atendido/ directory. Input supplied by an authenticated user is persisted and later rendered back to the page without proper output encoding or input sanitization. Because the payload is stored server-side, every subsequent user who navigates to the page triggers script execution under their own session context.
The attack requires authenticated access, which restricts the pool of potential attackers to users with valid accounts. However, the cross-context impact is significant: a low-privileged attendant could plant a payload that fires in the browser of an administrator who reviews the process. Confidentiality impact is high because session tokens, cookies, and CSRF tokens accessible to JavaScript can be exfiltrated to attacker-controlled infrastructure.
Root Cause
The root cause is missing output encoding when the application echoes user-controlled values from the process-step records back into the HTML document. WeGIA versions prior to 3.7.3 did not apply HTML entity encoding (for example, htmlspecialchars with ENT_QUOTES) on these fields before insertion into the DOM.
Attack Vector
Exploitation requires network access to the WeGIA application and a valid authenticated session with privileges to edit or create process steps. The attacker submits a payload containing JavaScript through the form fields that feed etapa_processo.php. When a victim, often a higher-privileged staff member, opens the affected page, the stored script runs in their browser. No further user interaction is required beyond visiting the page.
No public proof-of-concept code is available for this issue. See the GitHub Security Advisory GHSA-g78v-g28w-rg73 for vendor technical details.
Detection Methods for CVE-2026-45025
Indicators of Compromise
- Process-step records in WeGIA containing HTML or JavaScript syntax such as <script>, onerror=, onload=, or javascript: URIs.
- Outbound browser requests from authenticated WeGIA users to unknown external domains immediately after loading etapa_processo.php.
- Unexpected session reuse or logins from new IP addresses for accounts that recently viewed the "Etapas de um Processo" page.
Detection Strategies
- Review database fields backing the html/atendido/etapa_processo.php view for stored payloads containing script tags or event handler attributes.
- Inspect web server access logs for POST requests writing process-step data, correlating user IDs with later viewers of the page.
- Enable Content Security Policy (CSP) reporting to capture script-source violations triggered by injected payloads.
Monitoring Recommendations
- Monitor authenticated WeGIA accounts for anomalous privilege changes or password resets following access to affected pages.
- Alert on JavaScript-driven exfiltration patterns such as document.cookie references in outbound HTTP request bodies.
- Track WeGIA application version inventory to confirm all instances run 3.7.3 or later.
How to Mitigate CVE-2026-45025
Immediate Actions Required
- Upgrade all WeGIA deployments to version 3.7.3 or later without delay.
- Audit existing process-step records for stored payloads and remove any HTML or script content before resuming normal operations.
- Invalidate active sessions and force password resets for users who accessed etapa_processo.php while a payload may have been live.
Patch Information
The vulnerability is fixed in WeGIA 3.7.3. Refer to the GitHub Security Advisory GHSA-g78v-g28w-rg73 for the upstream fix and release notes.
Workarounds
- Restrict access to the "Etapas de um Processo" functionality to a minimal set of trusted users until the upgrade is applied.
- Deploy a strict Content Security Policy that disallows inline scripts and limits script sources to the application origin.
- Place WeGIA behind a web application firewall with rules that block common XSS payload patterns in POST bodies targeting etapa_processo.php.
# Example CSP header to mitigate stored XSS impact
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
