CVE-2026-47106
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-79
Neutralización incorrecta de la entrada durante la generación de la página web (Cross-site Scripting)
Fecha de publicación:
09/06/2026
Última modificación:
10/06/2026
Descripción
*** Pendiente de traducción *** Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.
Impacto
Puntuación base 4.0
5.10
Gravedad 4.0
MEDIA
Puntuación base 3.x
5.40
Gravedad 3.x
MEDIA



