Stored Cross-Site Scripting Vulnerability in Portabilis i-Educar
CVE-2025-9638

4.8MEDIUM

Key Information:

Vendor: Portabilis
Status: I-educar
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-9638?

A vulnerability in Portabilis i-Educar allows attackers to execute malicious scripts in the user's browser via the matricula_interna parameter, specifically through the educar_usuario_cad.php endpoint. This stored cross-site scripting (XSS) flaw enables unauthorized access and manipulation of sensitive user data, highlighting the need for robust input sanitization measures to safeguard users and strengthen security protocols.

Affected Version(s)

i-Educar Windows 2.10.0

References

https://fluidattacks.com/advisories/travis

third-party-advisory

https://github.com/portabilis/i-educar

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Aug 29, 2025

Credit

Marcelo Queiroz

JSON