Main Vulnerability Database Vulnerabilities #VU127346

Cross-site scripting in WeGIA - #VU127346

Published: April 23, 2026

Vulnerability identifier: #VU127346

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LabReDeS

Affected software:
WeGIA

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.

The vulnerability exists due to cross-site scripting in profile_paciente.php when rendering the user-supplied Nome field on the Informações Pacientes page. A remote privileged user can inject malicious HTML or JavaScript into this field to execute arbitrary JavaScript in victims' browsers.

The payload is stored and executed when patient information is viewed.

Remediation

Install security update from vendor's website.

Sources

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr
https://github.com/advisories/GHSA-x74c-gwj9-6cwr

Cross-site scripting in WeGIA - #VU127346

Detailed vulnerability description

Remediation

Sources

Please verify you're human