Ellucian Banner Self-Service Reflected XSS via dateConverter
CVE-2026-32856

5.1MEDIUM

Key Information:

Vendor

Ellucian

Status
Banner Self-service
Vendor
CVE Published:
9 June 2026

What is CVE-2026-32856?

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.

Affected Version(s)

Banner Self-Service 0

Banner Self-Service 0

Banner Self-Service 9.23

References

https://www.ellucian.com/security-researcher-hall-of-fame
product
https://www.ellucian.com/assets/en/brochure/brochure-lear...
product
https://www.vulncheck.com/advisories/ellucian-banner-self...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Abdullah M. Alotaibi
Faris Almutairi
VulnCheck
.