Is there a public PoC exploit available for CVE-2025-8366?

Yes, a public proof-of-concept exploit is available for CVE-2025-8366. Prioritise patching immediately. EPSS: 0.1%.

Portabilis i-Educar CVE-2025-8366

Q: What is the CVSS score of CVE-2025-8366?

CVE-2025-8366 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-07-31 cna@vuldb.com

PHP XSS I Educar

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:19 vuln.today

DescriptionCVE.org

A vulnerability was found in Portabilis i-Educar 2.9. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /intranet/educar_servidor_lst.php. The manipulation of the argument nome/matricula_servidor leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote unauthenticated attackers to inject arbitrary JavaScript via the nome or matricula_servidor parameters in /intranet/educar_servidor_lst.php. The vulnerability requires user interaction (clicking a malicious link) and has low confidentiality impact but can lead to session hijacking or credential theft. Publicly available exploit code exists, though exploitation likelihood remains low (EPSS 0.11%) due to user interaction requirement and limited real-world impact surface.

Technical ContextAI

The vulnerability resides in a PHP web application handling educational administration (i-Educar is a student information system). The affected endpoint /intranet/educar_servidor_lst.php processes user-supplied input parameters (nome and matricula_servidor) without proper output encoding or sanitization before reflecting them into the HTML response. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted user input is directly included in dynamically generated web content. The attack vector is network-based (AV:N) with no attack complexity (AC:L), meaning the vulnerability can be triggered by a simple HTTP request, but exploitation requires user interaction (UI:P) via a crafted URL.

RemediationAI

Apply input validation and output encoding to the nome and matricula_servidor parameters in /intranet/educar_servidor_lst.php. Specifically, use HTML entity encoding (e.g., htmlspecialchars() in PHP with ENT_QUOTES flag) on all reflected parameters before rendering them in HTML context. If a vendor patch for version 2.9+ becomes available, upgrade immediately; currently, no patched version has been released by Portabilis (vendor non-responsive). As interim compensating controls: (1) Deploy a Web Application Firewall (WAF) rule to block requests containing script tags or JavaScript event handlers in the nome and matricula_servidor parameters-trade-off is potential false positives if legitimate data contains angle brackets; (2) Implement Content Security Policy (CSP) headers (e.g., script-src 'self') to prevent inline script execution-this blocks malicious scripts even if injected, but may break legitimate functionality if the application relies on inline scripts; (3) Restrict access to /intranet/ endpoints to authenticated users via network-level controls or reverse proxy authentication if operationally feasible. Monitor GitHub and vuldb.com for community-contributed patches or forks.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-8366 vulnerability details – vuln.today

Back

Portabilis i-Educar CVE-2025-8366

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code