CVE-2026-47106

Vulnerability

Ellucian Banner Self-Service versions before the April T2 release (2025-04-23) are affected by a stored cross-site scripting vulnerability within the course search functionality. This flaw exists due to missing HTML encoding during DOM insertion, specifically when processing data through the getFacultyMeetingTimes API endpoint [2].

Exploitation

An attacker must be an authenticated Banner ERP user. They can exploit this vulnerability by injecting malicious JavaScript payloads into fields such as displayName, emailAddress, subjectDescription, or courseTitle via the getFacultyMeetingTimes API endpoint. This injection can occur during the course search functionality's processing [2].

Impact

Successful exploitation allows an attacker to achieve arbitrary script execution within the context of other users browsing the affected application. This could lead to session hijacking, data theft, or further malicious actions, depending on the privileges of the compromised user [2].

Mitigation

Ellucian released a patch for this vulnerability in the April T2 release, dated 2025-04-23. Users are advised to update to this version or later. No workarounds are mentioned in the available references [2].