CVE-2026-47106
5.4 MEDIUMEllucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course ...
Published: 2026-06-09 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Description
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-47106
- [Other]https://www.ellucian.com/assets/en/brochure/brochure-learn-more-about-ellucian-banner-self-service.pdf
- [Other]https://www.ellucian.com/security-researcher-hall-of-fame
- [Other]https://www.vulncheck.com/advisories/ellucian-banner-self-service-stored-xss-via-getfacultymeetingtimes-api
Related CVEs
Same CWE
- CVE-2026-2827 — The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
- CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
- CVE-2026-53742 — Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
- CVE-2026-53741 — Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
- CVE-2026-53740 — Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)