CVE-2026-47106
MEDIUMEllucian Banner Self-Service Stored XSS via getFacultyMeetingTimes API
Title source: cnaDescription
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.
References (3)
Core 3
Core References
Product product
https://www.ellucian.com/assets/en/brochure/brochure-learn-more-about-ellucian-banner-self-service.pdf
Vendor Advisory vendor-advisory
https://www.ellucian.com/security-researcher-hall-of-fame
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ellucian-banner-self-service-stored-xss-via-getfacultymeetingtimes-api
Scores
CVSS v3
5.4
EPSS
0.0020
EPSS Percentile
9.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
Ellucian/Banner Self-Service
< April T2
Ellucian/Banner Self-Service
9.41
Published
Jun 09, 2026
Tracked Since
Jun 10, 2026