https://www.cvehunters.com/p/cve-2026-40283/Cross-Site Scripting (XSS) Storedhttps://www.cvehunters.com/p/cve-2026-40283/https://www.cvehunters.com/p/cve-2026-40283/<h2 id="cve-2026-40283-cross-site-scripting-xss-stored-in-profile_pacientephp">CVE-2026-40283: Cross-Site Scripting (XSS) Stored in <code>profile_paciente.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40283" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40283</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Nome” field in the “Informações Pacientes” page. The payload is stored and executed when the patient information is viewed.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the “Nome” field, which accepts user-controlled input. An attacker can insert malicious HTML or JavaScript into this field when creating or editing a patient.</br></br>When the “Informações Pacientes” page is accessed, this value is rendered in the DOM without proper escaping, leading to execution of the injected code in the browser.</br></br>This behavior indicates improper output encoding and results in a Stored XSS vulnerability.</p><h2 id="cve-2026-40283-cross-site-scripting-xss-stored-in-profile_pacientephp">CVE-2026-40283: Cross-Site Scripting (XSS) Stored in <code>profile_paciente.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40283" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40283</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Nome” field in the “Informações Pacientes” page. The payload is stored and executed when the patient information is viewed.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the “Nome” field, which accepts user-controlled input. An attacker can insert malicious HTML or JavaScript into this field when creating or editing a patient.</br></br>When the “Informações Pacientes” page is accessed, this value is rendered in the DOM without proper escaping, leading to execution of the injected code in the browser.</br></br>This behavior indicates improper output encoding and results in a Stored XSS vulnerability.</p> <ul> <li>Vulnerable Endpoint: <code>profile_paciente.php</code></li> </ul> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">h1</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p"></</span><span class="nt">script</span><span class="p">></</span><span class="nt">h1</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"><b>1.</b> Register a patient where the “Name” field contains the payload.</br></br><b>2.</b> Navigate to the “Patient Information” page for the created patient.</br></br><b>3.</b> Observe that the payload is executed in the browser:</p> <p><img src="/p/cve-2026-40283/image.png" width="1360" height="737" srcset="/p/cve-2026-40283/image_hu_7406d057c64135fd.png 480w, /p/cve-2026-40283/image_hu_47e3d68f29444a6d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="184" data-flex-basis="442px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/thiago50x50.png" loading="lazy" /></a> <a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" >Thiago Escarrone</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote>Fri, 17 Apr 2026 00:00:00 +0000