{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47106", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-05-18T19:22:26.748Z", "datePublished": "2026-06-09T19:15:05.934Z", "dateUpdated": "2026-06-09T19:23:41.690Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-09T19:23:41.690Z"}, "title": "Ellucian Banner Self-Service Stored XSS via getFacultyMeetingTimes API", "descriptions": [{"lang": "en", "value": "Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution."}], "datePublic": "2026-04-23T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"defaultStatus": "affected", "vendor": "Ellucian", "product": "Banner Self-Service", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThan": "April T2"}, {"status": "affected", "version": "9.41", "versionType": "custom"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "references": [{"url": "https://www.ellucian.com/security-researcher-hall-of-fame", "tags": ["vendor-advisory"]}, {"url": "https://www.ellucian.com/assets/en/brochure/brochure-learn-more-about-ellucian-banner-self-service.pdf", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/ellucian-banner-self-service-stored-xss-via-getfacultymeetingtimes-api", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "Abdullah M. Alotaibi", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution."}], "id": "CVE-2026-47106", "lastModified": "2026-06-09T20:16:59.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-06-09T20:16:59.403", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.ellucian.com/assets/en/brochure/brochure-learn-more-about-ellucian-banner-self-service.pdf"}, {"source": "disclosure@vulncheck.com", "url": "https://www.ellucian.com/security-researcher-hall-of-fame"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/ellucian-banner-self-service-stored-xss-via-getfacultymeetingtimes-api"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"created": "2026-06-09T21:15:05.703361+00:00", "updated": "2026-06-09T21:15:05.703377+00:00", "vendors": []}