CVE-2026-40284: Cross-Site Scripting (XSS) Stored in listar_despachos.php
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2026-40284
Summary
A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Destinatário” field. The payload is stored and later executed when viewing the dispatch page, impacting other users.
Details
The application fails to properly sanitize or escape the “Destinatário” field, which is populated with user-controlled data (nome do usuário). When a despacho is created using a maliciously crafted name containing HTML/JavaScript, this value is stored in the system.During the rendering of the dispatch listing page, the application inserts this data into the DOM using .html(), causing the browser to interpret and execute the injected code.This results in a Stored XSS vulnerability due to improper output encoding of user-controlled data.
- Vulnerable Endpoint:
listar_despachos.php
PoC
Payload
| |
Steps to Reproduce:
1. Alter the name of a user (or create one) with the payload.2. Create a despacho selecting this user as “Destinatário”.3. Access the page that lists or displays the despacho.4. Observe that the payload is executed in the browser:
Impact
- Session hijacking: Stealing cookies or authentication tokens to impersonate users.
- Credential theft: Harvesting usernames and passwords using malicious scripts.
- Malware delivery: Distributing unwanted or harmful code to victims.
- Privilege escalation: Compromising administrative users through persistent scripts.
- Data manipulation or defacement: Changing or disrupting site content.
- Reputation damage: Eroding trust among site users and administrators.
Reference
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5
Finder
By: CVE-Hunters