CVE Catalog

CVE-2026-47106

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

Ellucian Banner Self-Service before the April T2 release in 2025 contains a stored XSS vulnerability in the course search functionality. Authenticated users with write access can inject malicious JavaScript into faculty and course fields.

Risk Assessment

An attacker can exploit this vulnerability to execute arbitrary scripts in the browsers of users viewing the affected course meeting times, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to update to the Ellucian Banner Self-Service version after the T2 release in April 2025 and implement proper input sanitization mechanisms.

Original NVD description (English source)

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS