CVE-2026-4355 is a cross-site scripting vulnerability identified in Portabilis i-Educar version 2.11, specifically within the /intranet/educar_servidor_curso_lst.php file of the Endpoint component. The vulnerability arises from improper sanitization of the 'Name' parameter, which allows an attacker to inject malicious JavaScript code remotely. This injection can be triggered without authentication, but requires user interaction, such as clicking a crafted URL or visiting a malicious webpage. The vulnerability does not affect the confidentiality, integrity, or availability of the server directly but compromises the security context of users interacting with the vulnerable endpoint. Successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. Despite the vendor being notified early, no patch or response has been issued, and the exploit code is publicly available, increasing the likelihood of exploitation attempts. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and limited impact on confidentiality and integrity. This vulnerability primarily threatens the security of end users within educational institutions using i-Educar 2.11, a platform widely used in Brazil and some Latin American countries. The lack of vendor response and public exploit availability necessitates immediate defensive measures by administrators.

The primary impact of CVE-2026-4355 is on the confidentiality and integrity of user sessions within the i-Educar platform. Attackers exploiting this XSS vulnerability can execute arbitrary scripts in the context of authenticated users, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of users. This can lead to unauthorized access to sensitive educational data, manipulation of student records, or disruption of administrative functions. While the vulnerability does not directly compromise server availability or system integrity, the resulting user session compromise can have cascading effects on organizational security and trust. Educational institutions relying on i-Educar 2.11 are at risk of targeted phishing or social engineering attacks leveraging this vulnerability. The public availability of exploit code increases the risk of opportunistic attacks, especially in environments with limited security monitoring or outdated defenses. The lack of vendor patches prolongs exposure, making timely mitigation critical to reduce potential data breaches or operational disruptions.

To mitigate CVE-2026-4355, organizations should implement strict input validation and output encoding on the 'Name' parameter within the /intranet/educar_servidor_curso_lst.php endpoint to neutralize malicious script injections. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in user browsers. Use web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this parameter. Educate users to avoid clicking on untrusted links and report suspicious activity. Monitor web server logs for unusual requests containing script tags or encoded payloads targeting the vulnerable endpoint. If possible, isolate or restrict access to the intranet component until a vendor patch or official fix is released. Consider deploying runtime application self-protection (RASP) solutions to detect and prevent exploitation attempts in real time. Engage with the vendor or community to track any forthcoming patches or updates. Finally, conduct regular security assessments and penetration tests focusing on input validation weaknesses in the i-Educar platform.