CVE-2026-32856

MEDIUM 6.1

Ellucian Banner Self-Service Reflected XSS via dateConverter

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.

CWE	CWE-79
Vendor	ellucian
Product	banner self-service
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for ellucian banner self-service

Be the first to know when new medium vulnerabilities affecting ellucian banner self-service are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Ellucian / Banner Self-Service

0 < April T2 9.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

ellucian.com: https://www.ellucian.com/security-researcher-hall-of-fame ellucian.com: https://www.ellucian.com/assets/en/brochure/brochure-learn-more-about-ellucian-banner-self-service.pdf vulncheck.com: https://www.vulncheck.com/advisories/ellucian-banner-self-service-reflected-xss-via-dateconverter

Credits

Abdullah M. Alotaibi Faris Almutairi VulnCheck