WeGIA Web Manager: Stored XSS Puts Charitable Institutions at Risk

The National Vulnerability Database has disclosed CVE-2026-40286, a high-severity (CVSS 7.5) Stored Cross-Site Scripting (XSS) vulnerability in WeGIA, a web manager for charitable institutions. Prior to version 3.6.10, an attacker could inject a malicious payload into the ‘Member Name’ field during ‘Member Registration’. This script is then persistently stored in the database and executed whenever a user navigates to specific URLs within the application.

This isn’t just a minor annoyance; it’s a direct path to session hijacking, data exfiltration, or even full administrative control if an admin user is targeted. For charitable organizations, this means potential reputational damage, financial loss, and a breach of trust with their members. The attacker’s calculus is straightforward: target an application often used by less technically sophisticated users, leverage a common web vulnerability, and gain persistent access to sensitive data or control.

Defenders must prioritize patching. The fix is available in WeGIA version 3.6.10. Beyond patching, organizations using WeGIA should review their web application firewall (WAF) configurations to ensure robust XSS protection and consider implementing Content Security Policy (CSP) headers to mitigate similar client-side injection risks proactively.