Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability (CVE-2026-47106) in the course search functionality. Authenticated Banner ERP users can inject malicious JavaScript payloads into faculty and course-related fields due to improper neutralization of input during web page generation, specifically missing HTML encoding during DOM insertion. The injection can be performed through the unauthenticated getFacultyMeetingTimes API endpoint, enabling storage of malicious scripts in fields like faculty displayName, emailAddress, subjectDescription, or courseTitle. This leads to arbitrary script execution when the affected pages are viewed. The vulnerability affects version 9.41 and possibly earlier versions. No official fix or patch has been confirmed yet.

Successful exploitation allows an attacker with authenticated Banner ERP access to store malicious JavaScript in various faculty and course fields, which can execute in the browsers of users viewing those fields. This can lead to arbitrary script execution, potentially enabling actions such as session hijacking, unauthorized actions in the context of the victim user, or other client-side attacks. The vulnerability is medium severity with a CVSS 4.0 score of 5.1. There are no known exploits in the wild as of the provided information.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, organizations should monitor Ellucian's advisories for updates. In the meantime, consider restricting access to the affected API endpoint if possible and applying web application firewall (WAF) rules to detect and block suspicious input patterns related to this vulnerability. Avoid relying on client-side mitigations alone.