Skip to main content

Banner Self-Service CVE-2026-47106

| EUVDEUVD-2026-35796 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 VulnCheck GHSA-pgpc-33v2-x2qg
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 09, 2026 - 20:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
Jun 09, 2026 - 20:21 vuln.today

DescriptionNVD

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution.

AnalysisAI

Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Ellucian Banner Self-Service (CPE: cpe:2.3:a:ellucian:banner_self-service:*:*:*:*:*:*:*:*) is a higher-education ERP web application widely deployed at colleges and universities for student and faculty self-service tasks, including course discovery. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically a stored/persistent variant. The getFacultyMeetingTimes API endpoint, which requires no authentication to query, exposes faculty and course fields without applying HTML entity encoding before those values are inserted into the DOM during course search rendering. Because attacker-controlled strings reach the document object model as raw HTML rather than escaped text, any script tags or event-handler payloads they contain execute in the context of the victim's browser session, enabling the scope change noted in the CVSS vector (S:C).

RemediationAI

The primary remediation is to upgrade Ellucian Banner Self-Service to the April T2 release (2025-04-23) or any subsequent release, which addresses the missing HTML encoding during DOM insertion in the course search interface. Institutions should apply this update through their standard Ellucian patching process and consult the VulnCheck advisory at https://www.vulncheck.com/advisories/ellucian-banner-self-service-stored-xss-via-getfacultymeetingtimes-api for technical context. If immediate patching is not feasible, a compensating control is to audit and restrict Banner ERP role permissions so that only operationally necessary accounts retain write access to the affected fields (faculty displayName, emailAddress, subjectDescription, courseTitle), reducing the number of accounts capable of planting payloads; however, this does not remediate the encoding defect and may disrupt legitimate faculty and administrative workflows. Deploying a WAF with XSS filtering rules targeted at the getFacultyMeetingTimes API endpoint and the course search UI can provide an additional detection and blocking layer, though WAF-based XSS filtering is bypassable and should not be treated as a substitute for patching.

Share

CVE-2026-47106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy