Executive Summary

CVE-2026-47106 is a stored cross-site scripting (XSS) vulnerability found in Ellucian Banner Self-Service before the April T2 release (2025-04-23).

This vulnerability exists in the course search functionality where authenticated Banner ERP users can inject malicious JavaScript payloads into fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle.

The root cause is missing HTML encoding during DOM insertion, which allows attackers to exploit the unauthenticated getFacultyMeetingTimes API endpoint to store malicious scripts that execute arbitrarily when those fields are viewed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary script execution in the context of authenticated users of the Banner ERP system.

An attacker could inject malicious JavaScript that runs when other users view affected fields, potentially leading to session hijacking, unauthorized actions, or data theft within the application.

Since the vulnerability requires authenticated access but can be exploited via an unauthenticated API endpoint to store payloads, it increases the risk of persistent attacks affecting multiple users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the Ellucian Banner Self-Service application, specifically through the unauthenticated getFacultyMeetingTimes API endpoint. Detection would involve monitoring or inspecting requests and responses related to this API endpoint for suspicious or malicious JavaScript payloads injected into fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle.

Since the vulnerability is related to stored XSS via API input, detection commands could include searching logs or traffic for suspicious script tags or JavaScript code in these fields.

• Use network traffic inspection tools (e.g., Wireshark, tcpdump) to capture HTTP requests to the getFacultyMeetingTimes API endpoint and analyze payloads.
• Search web server or application logs for suspicious input patterns, such as <script> tags or event handlers in faculty or course-related fields.
• Example command to search logs for script tags: grep -i '<script' /path/to/banner/logs/*
• Example curl command to test the API endpoint for injection: curl -X GET 'https://your-banner-selfservice-domain/api/getFacultyMeetingTimes?query=<script>alert(1)</script>' and observe if the payload is reflected or stored.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the April T2 release (2025-04-23) or later for Ellucian Banner Self-Service, which addresses this stored XSS vulnerability by properly encoding HTML during DOM insertion.

Until the patch is applied, restrict access to the getFacultyMeetingTimes API endpoint to trusted authenticated users only, and implement input validation or sanitization to prevent malicious JavaScript payloads from being stored.

• Apply the official Ellucian Banner Self-Service update released on or after 2025-04-23.
• Restrict or monitor access to the getFacultyMeetingTimes API endpoint.
• Implement web application firewall (WAF) rules to detect and block malicious script payloads targeting this API.
• Educate users about the risk of executing untrusted scripts and encourage cautious use of the affected application.

Useful 0 Not Useful 0