CVE-2026-2064 is a cross-site scripting vulnerability identified in Portabilis i-Educar, a widely used educational management system, affecting all versions up to 2.10. The vulnerability resides in the /intranet/meusdadod.php file, specifically in the handling of the 'File' argument within the User Data Page component. Improper sanitization or encoding of this parameter allows an attacker to inject malicious JavaScript code, which executes in the context of the victim's browser when they interact with the affected page. The attack vector is remote and does not require prior authentication, although user interaction is necessary to trigger the malicious script. The vulnerability can be exploited to steal session cookies, perform actions on behalf of the user, or deliver further malware. Despite early notification, the vendor has not issued a patch or mitigation guidance, and public exploit code is available, increasing the risk of exploitation. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the ease of exploitation and limited impact on confidentiality and integrity, with no impact on availability. The vulnerability affects educational institutions relying on i-Educar for managing student and administrative data, potentially exposing sensitive information and undermining trust in the platform.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized script execution within users' browsers. This can lead to theft of session tokens, unauthorized actions performed on behalf of users, and potential exposure of sensitive student and staff data. The integrity of user data may be compromised if attackers manipulate inputs or responses via injected scripts. Confidentiality is partially impacted due to possible data leakage through session hijacking or information disclosure. Availability is not directly affected. The presence of publicly available exploits and lack of vendor patches increase the likelihood of targeted attacks. Institutions with limited cybersecurity resources may face challenges in detecting and mitigating such attacks, potentially leading to reputational damage and regulatory compliance issues under GDPR if personal data is exposed.

1. Implement strict input validation and output encoding on the 'File' parameter in /intranet/meusdadod.php to neutralize malicious scripts. 2. Deploy a Web Application Firewall (WAF) with robust XSS detection and blocking capabilities to filter malicious payloads targeting this vulnerability. 3. Conduct regular security audits and code reviews focusing on input handling in i-Educar components. 4. Educate users to recognize and avoid suspicious links or inputs that could trigger XSS attacks. 5. Isolate the i-Educar application environment to limit lateral movement in case of compromise. 6. Monitor web server and application logs for unusual activity indicative of exploitation attempts. 7. Engage with Portabilis or community forums to track any forthcoming patches or official mitigations. 8. Consider temporary disabling or restricting access to the vulnerable functionality if feasible until a patch is available.