CVE-2026-32856

Deferred Deferred - Pending Action

Reflected XSS in Ellucian Banner Self-Service

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-09

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-28

NVD

CVE-2026-32856

EUVD

EUVD-2026-35795

Affected Vendors & Products

Vendor	Product	Version / Range
ellucian	banner_self-service	to 2025-04-23 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

Executive Summary

CVE-2026-32856 is a reflected cross-site scripting (XSS) vulnerability in Ellucian Banner Self-Service software versions before the April T2 release (2025-04-23).

The vulnerability exists in the dateConverter endpoint, specifically in the toDateFormat request parameter, which does not properly sanitize user input.

This flaw allows unauthenticated attackers to inject and execute arbitrary JavaScript code in the browser of a victim who clicks on a maliciously crafted URL targeting this endpoint.

Exploitation can lead to actions such as stealing session cookies or performing other malicious activities within the victim's browser session.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript in their browsers without authentication.

Attackers can steal session cookies, which may enable them to hijack user sessions and gain unauthorized access to user accounts or sensitive information.

Other malicious actions could be performed within the context of the victim's browser session, potentially compromising user data and security.

Detection Guidance

This vulnerability can be detected by testing the dateConverter endpoint of Ellucian Banner Self-Service for reflected cross-site scripting (XSS) via the toDateFormat request parameter.

A common detection method is to craft a URL targeting the dateConverter endpoint with a payload in the toDateFormat parameter that includes JavaScript code, then observe if the input is reflected unsanitized in the response.

For example, you can use curl or a web proxy tool to send a request like:

curl -v "http://[target]/dateConverter?toDateFormat=<script>alert(1)</script>"

If the response contains the injected script tag without proper sanitization or encoding, it indicates the presence of the vulnerability.

Additionally, web vulnerability scanners that test for reflected XSS vulnerabilities can be used to automate detection.

Mitigation Strategies

The immediate mitigation step is to upgrade Ellucian Banner Self-Service to the April T2 release (2025-04-23) or later, where this vulnerability has been addressed.

Until the upgrade can be applied, consider implementing web application firewall (WAF) rules to block or sanitize requests containing suspicious input in the toDateFormat parameter targeting the dateConverter endpoint.

Also, educate users to be cautious about clicking on suspicious links that may exploit this reflected XSS vulnerability.

Compliance Impact

The provided information does not specify how the reflected cross-site scripting vulnerability in Ellucian Banner Self-Service impacts compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-32856. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70