https://www.cvehunters.com/p/cve-2026-40284/Cross-Site Scripting (XSS) Storedhttps://www.cvehunters.com/p/cve-2026-40284/https://www.cvehunters.com/p/cve-2026-40284/<h2 id="cve-2026-40284-cross-site-scripting-xss-stored-in-listar_despachosphp">CVE-2026-40284: Cross-Site Scripting (XSS) Stored in <code>listar_despachos.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40284" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40284</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Destinatário” field. The payload is stored and later executed when viewing the dispatch page, impacting other users.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize or escape the “Destinatário” field, which is populated with user-controlled data (nome do usuário). When a despacho is created using a maliciously crafted name containing HTML/JavaScript, this value is stored in the system.</br></br>During the rendering of the dispatch listing page, the application inserts this data into the DOM using .html(), causing the browser to interpret and execute the injected code.</br></br>This results in a Stored XSS vulnerability due to improper output encoding of user-controlled data.</p><h2 id="cve-2026-40284-cross-site-scripting-xss-stored-in-listar_despachosphp">CVE-2026-40284: Cross-Site Scripting (XSS) Stored in <code>listar_despachos.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40284" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40284</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Destinatário” field. The payload is stored and later executed when viewing the dispatch page, impacting other users.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize or escape the “Destinatário” field, which is populated with user-controlled data (nome do usuário). When a despacho is created using a maliciously crafted name containing HTML/JavaScript, this value is stored in the system.</br></br>During the rendering of the dispatch listing page, the application inserts this data into the DOM using .html(), causing the browser to interpret and execute the injected code.</br></br>This results in a Stored XSS vulnerability due to improper output encoding of user-controlled data.</p> <ul> <li>Vulnerable Endpoint: <code>listar_despachos.php</code></li> </ul> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">h1</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p"></</span><span class="nt">script</span><span class="p">></</span><span class="nt">h1</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"><b>1.</b> Alter the name of a user (or create one) with the payload.</br></br><b>2.</b> Create a despacho selecting this user as “Destinatário”.</br></br><b>3.</b> Access the page that lists or displays the despacho.</br></br><b>4.</b> Observe that the payload is executed in the browser:</p> <p><img src="/p/cve-2026-40284/image.png" width="884" height="751" srcset="/p/cve-2026-40284/image_hu_b5a29259f27a9224.png 480w, /p/cve-2026-40284/image_hu_d02bb8cf295854e3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="117" data-flex-basis="282px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/thiago50x50.png" loading="lazy" /></a> <a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" >Thiago Escarrone</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote>Fri, 17 Apr 2026 00:00:00 +0000