CVE-2026-47106 is a stored cross-site scripting (XSS) vulnerability in Ellucian Banner Self-Service before the April T2 release (2025-04-23). The vulnerability allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as fa [truncated]
CVE-2026-32856 is a reflected cross-site scripting (XSS) vulnerability in Ellucian Banner Self-Service before the April T2 release (2025-04-23). The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the una [truncated]
