CVE-2026-2064
Unknown Unknown - Not Provided
Cross-Site Scripting in Portabilis i-Educar User Data Page

Publication date: 2026-02-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2064
EUVD
EUVD-2026-5595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
portabilis i-educar to 2.10.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2064 is a cross-site scripting (XSS) vulnerability found in Portabilis i-Educar versions up to 2.10, specifically in the User Data Page component at the file /intranet/meusdadod.php.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize the user-controllable "file" parameter, allowing an attacker to inject malicious scripts that get executed in the context of a victim\'s browser.'}, {'type': 'paragraph', 'content': 'This can be exploited remotely by manipulating the "file" argument, including by uploading a malicious avatar image containing embedded JavaScript code that executes when accessed.'}] [2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability impacts the integrity of the application by allowing attackers to execute arbitrary scripts in the context of users' browsers."}, {'type': 'paragraph', 'content': 'Such cross-site scripting attacks can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user trust and security.'}, {'type': 'paragraph', 'content': 'The attack requires some user interaction but can be launched remotely, and a public exploit is available, making it easier for attackers to exploit.'}] [2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable endpoint /intranet/meusdadod.php in Portabilis i-Educar versions up to 2.10.'}, {'type': 'paragraph', 'content': 'One method to identify vulnerable targets is using Google dorking with the query: inurl:intranet/meusdadod.php.'}, {'type': 'paragraph', 'content': 'Additionally, testing the file parameter for cross-site scripting (XSS) can be done by sending crafted requests with payloads such as the following SVG-based script to see if it is reflected or executed:'}, {'type': 'list_item', 'content': '<svg xmlns="http://www.w3.org/2000/svg" fill="none"> <script> alert("This is an XSS for "+document.domain+"!"); </script> </svg>'}, {'type': 'paragraph', 'content': 'A practical approach is to intercept the upload request to /intranet/meusdadod.php and inject the above payload into the file parameter to confirm if the XSS executes.'}] [2, 3]

Mitigation Strategies

Currently, there are no known vendor-provided mitigations or countermeasures for this vulnerability, as the vendor did not respond to the disclosure.

Immediate steps to mitigate the risk include:

  • Restrict access to the /intranet/meusdadod.php endpoint to trusted users only, using network-level controls or authentication.
  • Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the file parameter.
  • Monitor logs for suspicious requests containing script tags or unusual input in the file parameter.
  • Educate users about the risks of interacting with untrusted content and avoid clicking on suspicious links that may exploit this vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart