PatchSiren cyber security CVE debrief

CVE-2026-47106 Ellucian CVE debrief

CVE-2026-47106 is a stored cross-site scripting (XSS) vulnerability in Ellucian Banner Self-Service before the April T2 release (2025-04-23). The vulnerability allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.

Vendor: Ellucian
Product: Banner Self-Service
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-09
Original CVE updated: 2026-06-10
Advisory published: 2026-06-09
Advisory updated: 2026-06-10

Who should care

Users of Ellucian Banner Self-Service, particularly those with Banner ERP write access, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability has a CVSS score of 5.1 and a CVSS severity of MEDIUM. It was published on 2026-06-09T20:16:59.403Z and modified on 2026-06-10T19:41:25.327Z.

Defensive priority

MEDIUM

Recommended defensive actions

Update Ellucian Banner Self-Service to the April T2 release (2025-04-23) or later.
Restrict write access to Banner ERP fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle.
Implement additional security measures to monitor and filter traffic to the getFacultyMeetingTimes API endpoint.

Evidence notes

The CVE record and NVD detail can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-47106) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-47106), respectively.

Official resources

CVE-2026-47106 was published on 2026-06-09T20:16:59.403Z and modified on 2026-06-10T19:41:25.327Z.