CVE-2026-42872

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.7.0

Description A reflected Cross-Site Scripting (XSS) issue exists in the 'lista arquivos etapa.php' endpoint. The id processo parameter is embedded into the HTML without proper sanitization, allowing the injection of arbitrary JavaScript. This can result in session hijacking, credential theft, or the execution of malicious actions within the victim's browser.

Recommendations Update to version 3.7.0. As a temporary workaround, restrict access to the 'lista arquivos etapa.php' endpoint or avoid using the id processo parameter until the update is applied.