Main Vulnerability Database Vulnerabilities #VU127318

Cross-site scripting in WeGIA - CVE-2026-23724

Published: April 23, 2026

Vulnerability identifier: #VU127318

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23724

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LabReDeS

Affected software:
WeGIA

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the "Atendido" selection dropdown within html/atendido/cadastro_ocorrencia.php when rendering database-backed user-controlled data. A remote user can store a crafted payload in an Atendido value to execute arbitrary JavaScript in the victim's browser.

The issue is triggered when the occurrence registration page loads and renders the stored value inside the dropdown.

How to mitigate CVE-2026-23724

Install security update from vendor's website.

Cross-site scripting in WeGIA - CVE-2026-23724

Detailed vulnerability description

How to mitigate CVE-2026-23724

Sources

Please verify you're human