PatchSiren cyber security CVE debrief
CVE-2026-32856 Ellucian CVE debrief
CVE-2026-32856 is a reflected cross-site scripting (XSS) vulnerability in Ellucian Banner Self-Service before the April T2 release (2025-04-23). The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.
- Vendor
- Ellucian
- Product
- Banner Self-Service
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Ellucian Banner Self-Service before the April T2 release (2025-04-23) should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.1 and a CVSS severity of MEDIUM. It was published on [cvePublishedAt] and modified on [cveModifiedAt]. The vulnerability is identified by CWE-79.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Ellucian Banner Self-Service to the April T2 release (2025-04-23) or later.
- Implement input validation and sanitization for the toDateFormat request parameter in the dateConverter endpoint.
- Use a web application firewall (WAF) to detect and prevent XSS attacks.
Evidence notes
The vendor of this product is likely Ellucian, based on the information provided in the source item.
Official resources
CVE-2026-32856 was published on 2026-06-09T20:16:34.363Z and modified on 2026-06-10T19:41:25.327Z.