CVE-2026-45026 Overview
CVE-2026-45026 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting WeGIA, an open-source web manager used by charitable institutions. Versions prior to 3.7.3 allow an authenticated user to inject malicious JavaScript into the Processo de Aceitação page (html/atendido/processo_aceitacao.php). The injected payload executes in the browser of any user who subsequently visits the affected page. Successful exploitation enables session hijacking and account takeover against other authenticated users, including privileged accounts. The maintainers addressed the issue in WeGIA 3.7.3.
Critical Impact
Authenticated attackers can store malicious JavaScript that executes in other users' sessions, enabling cookie theft, session hijacking, and full account takeover of higher-privileged accounts.
Affected Products
- WeGIA versions prior to 3.7.3
- Component: html/atendido/processo_aceitacao.php (Processo de Aceitação page)
- Maintainer: LabRedesCefetRJ
Discovery Timeline
- 2026-05-11 - CVE-2026-45026 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45026
Vulnerability Analysis
The vulnerability is a stored XSS issue in the WeGIA application. WeGIA fails to sanitize or encode user-supplied input before persisting it and later rendering it inside the Processo de Aceitação workflow. When a victim browses to html/atendido/processo_aceitacao.php, the stored payload is returned in the HTML response and executed by the victim's browser in the application's origin. Because the payload is stored server-side, it triggers automatically for any user who views the affected page, requiring no further user interaction beyond normal navigation. The scope change in the CVSS vector reflects that script executing in the victim's authenticated session can affect resources beyond the attacker's own privilege boundary, supporting cross-account compromise.
Root Cause
The root cause is missing output encoding and input validation on data rendered by the Processo de Aceitação page. User-controlled fields are written into the HTML document context without contextual escaping, allowing <script> tags and event-handler attributes to break out of the intended data context [CWE-79].
Attack Vector
Exploitation requires an authenticated account on the target WeGIA instance. The attacker submits a crafted payload through an input field consumed by the acceptance process. When an administrator or other user later opens the affected page, the script runs with that user's session, allowing the attacker to read the session cookie, perform CSRF-protected actions on behalf of the victim, or pivot to account takeover. See the GitHub Security Advisory GHSA-r578-8vgj-vph7 for technical details.
Detection Methods for CVE-2026-45026
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or HTML event handlers (onerror, onload, onmouseover) stored within WeGIA database records associated with the acceptance workflow.
- Outbound HTTP requests from administrator browsers to unknown external hosts immediately after visiting processo_aceitacao.php.
- Anomalous session activity such as administrator session cookies being reused from new IP addresses or user agents.
Detection Strategies
- Review server-side data stores for HTML or JavaScript content in fields that should contain plain text related to the acceptance process.
- Inspect web server access logs for requests to html/atendido/processo_aceitacao.php correlated with subsequent privileged actions or password changes.
- Deploy Content Security Policy (CSP) violation reporting to surface inline script execution attempts on WeGIA pages.
Monitoring Recommendations
- Monitor authentication and authorization audit logs for new admin account creation, role escalations, or unexpected password resets following user visits to the affected page.
- Alert on browser-originated requests carrying session cookies to non-WeGIA domains.
- Track WeGIA version strings across deployments and flag any instance still running a version below 3.7.3.
How to Mitigate CVE-2026-45026
Immediate Actions Required
- Upgrade WeGIA to version 3.7.3 or later, which contains the official fix from the maintainers.
- Invalidate all active WeGIA sessions and force re-authentication after patching to revoke any sessions potentially captured via stored payloads.
- Audit existing records written to the Processo de Aceitação workflow for malicious HTML or JavaScript content and remove offending entries.
Patch Information
The vulnerability is fixed in WeGIA 3.7.3. Refer to the GitHub Security Advisory GHSA-r578-8vgj-vph7 for the official patch details and release notes.
Workarounds
- Restrict access to the WeGIA application and to authenticated roles capable of writing to the acceptance workflow until the upgrade is applied.
- Deploy a strict Content Security Policy that disallows inline scripts (script-src 'self') to limit the impact of any stored payload.
- Place the application behind a web application firewall configured to filter HTML and JavaScript tokens in request parameters destined for processo_aceitacao.php.
# Example restrictive CSP header for the WeGIA web server
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
