Description
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ellucian Banner Self‑Service versions prior to the April T2 release (2025‑04‑23) store data entered into the course search functionality without proper HTML encoding. This defect allows an authenticated Banner ERP user to inject malicious JavaScript into fields such as faculty display name, email address, subject description, or course title via the getFacultyMeetingTimes API. When a browser processes the retrieved data, the injected script runs with the privileges of the viewing user, potentially allowing data exfiltration, session hijacking, or defacement.

Affected Systems

The vulnerability affects Ellucian Banner Self‑Service software. All releases before the April T2 update (2025‑04‑23) are vulnerable; later releases presumably contain the fix.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is not available, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. The attack vector is through the publicly accessible getFacultyMeetingTimes API, but the injection payload must be submitted by an authenticated Banner ERP user. Once stored, the payload executes in the victim’s browser context, providing client‑side code execution.

Generated by OpenCVE AI on June 9, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the April T2 release (2025‑04‑23) or later to receive the vendor patch.
  • If immediate upgrade is impossible, sanitize or HTML‑encode all data returned by the getFacultyMeetingTimes API before it is inserted into the DOM.
  • Limit access to the getFacultyMeetingTimes API to trusted users only, and monitor for anomalous input patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on June 9, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Ellucian
Ellucian banner Self-service
Vendors & Products Ellucian
Ellucian banner Self-service

Tue, 09 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution.
Title Ellucian Banner Self-Service Stored XSS via getFacultyMeetingTimes API
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ellucian Banner Self-service
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T19:23:41.690Z

Reserved: 2026-05-18T19:22:26.748Z

Link: CVE-2026-47106

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T20:16:59.403

Modified: 2026-06-09T20:16:59.403

Link: CVE-2026-47106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:22:13Z

Weaknesses