Ghostwire
Home / Vulnerabilities / CVE-2026-47106

CVE-2026-47106: Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting...

MEDIUM CVSS 5.5

Published: June 9, 2026 | Last Modified: June 9, 2026

Description

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

Tenable CVEs
CVE-2026-47106
 CVE Feed
CVE-2026-47106 - Ellucian Banner Self-Service Stored XSS via getFacultyMeetingTimes API

References