CVE-2026-4355 is a cross-site scripting vulnerability identified in Portabilis i-Educar version 2.11, a widely used open-source educational management system. The vulnerability exists in the /intranet/educar_servidor_curso_lst.php endpoint, where the 'Name' parameter is improperly sanitized, allowing attackers to inject malicious JavaScript code. This flaw enables remote attackers to craft URLs or input that, when processed by the vulnerable endpoint, execute arbitrary scripts in the context of the victim's browser. The vulnerability does not require authentication, lowering the barrier for exploitation, but does require user interaction, such as clicking a malicious link or visiting a compromised page. The CVSS 4.0 base score is 5.1, reflecting medium severity due to the limited impact on confidentiality and integrity but the potential for session hijacking or phishing. The vendor has not issued any patches or responses, and the exploit code is publicly available, increasing the risk of exploitation. No known active exploitation has been reported yet. The vulnerability affects educational institutions and organizations using i-Educar 2.11, potentially exposing sensitive student and staff data or enabling unauthorized actions within the system. The lack of vendor response complicates remediation efforts, necessitating alternative mitigation strategies.

The primary impact of CVE-2026-4355 is the potential for attackers to execute arbitrary JavaScript in the context of users accessing the vulnerable i-Educar system. This can lead to session hijacking, theft of authentication tokens, redirection to malicious websites, or unauthorized actions performed on behalf of the victim. For educational institutions, this could compromise sensitive student and staff information, disrupt administrative operations, and damage trust in the system. The vulnerability's remote exploitability and lack of authentication requirements increase its risk profile. Although the vulnerability does not directly affect system availability or integrity at a high level, the indirect consequences of successful exploitation—such as data leakage or unauthorized access—can be significant. The public availability of exploit code raises the likelihood of opportunistic attacks, especially against less-secured deployments. Organizations worldwide using i-Educar 2.11 face reputational damage, regulatory compliance issues, and potential operational disruptions if exploited.

Given the absence of an official patch from the vendor, organizations should implement the following specific mitigations: 1) Apply strict input validation and output encoding on the 'Name' parameter at the web application or reverse proxy level to neutralize malicious scripts. 2) Deploy a Web Application Firewall (WAF) with rules targeting common XSS attack patterns, specifically tuned for i-Educar endpoints. 3) Restrict access to the /intranet/educar_servidor_curso_lst.php endpoint to trusted IP ranges or authenticated users where possible, reducing exposure. 4) Conduct user awareness training to recognize and avoid phishing attempts that exploit this vulnerability. 5) Monitor web server and application logs for suspicious requests containing script tags or unusual payloads targeting the vulnerable parameter. 6) Consider isolating or segmenting the i-Educar system within the network to limit lateral movement if compromised. 7) Regularly review and update security controls and prepare for patch deployment once the vendor releases an official fix. 8) If feasible, upgrade to a later, unaffected version of i-Educar or apply community-developed patches after thorough testing.