Description
A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting allowing client‑side code execution
Action: Assess Impact
AI Analysis

Impact

The vulnerability is located in Portabilis i‑Educar up to version 2.10, inside the file /intranet/meusdadod.php. By carefully crafting the value of the parameter named File, an attacker can send arbitrary script payloads that are rendered unescaped. The reflected XSS allows the execution of attacker‑supplied JavaScript in the victim’s browser, potentially leading to session hijacking, credential theft or defacement, depending on the attacker’s goal.

Affected Systems

Portabilis i‑Educar versions up to and including 2.10, particularly the User Data Page component that processes the File argument. The flaw is reachable through the public intranet interface and is likely deployed in educational institutions that rely on the application for internal user management.

Risk and Exploitability

The CVSS score of 5.1 classifies it as moderate severity, while the EPSS score of less than 1 % indicates a very low probability of exploitation at present. It is not listed in the CISA KEV catalog, so there is no evidence of widespread active attacks yet. Nevertheless, the flaw is exploitable remotely via the internet, and attackers can trigger it by embedding a malicious payload in the File parameter of the exposed URL. Without an official vendor patch, the risk remains until a suitable mitigations are applied or the product is upgraded beyond the affected release.

Generated by OpenCVE AI on April 18, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Conduct a version audit to confirm whether the deployment runs a vulnerable 2.10 or earlier release, and if possible, test the XSS by placing a harmless script within the File argument on /intranet/meusdadod.php to verify the flaw.
  • Enforce strict whitelisting of the File parameter to allow only known safe values, preventing arbitrary code injection (CWE‑94). This mitigates the risk of executing unintended scripts or code.
  • Apply HTML encoding or output‑escaping to all content derived from the File parameter before rendering it on the page (CWE‑79), ensuring no script tags or event handlers execute in the browser.
  • Deploy a web application firewall or equivalent request filtering that detects and blocks malicious JavaScript payloads submitted via the File argument, complementing input validation and output encoding.
  • Monitor for the release of a vendor‑issued fix, and plan for an upgrade to the patched version when available.

Generated by OpenCVE AI on April 18, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Portabilis
Portabilis i-educar
Vendors & Products Portabilis
Portabilis i-educar

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Portabilis i-Educar User Data meusdadod.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Portabilis I-educar
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:27:28.636Z

Reserved: 2026-02-06T06:44:43.119Z

Link: CVE-2026-2064

cve-icon Vulnrichment

Updated: 2026-02-06T20:13:11.080Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:12.087

Modified: 2026-02-11T18:59:58.613

Link: CVE-2026-2064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses