Scan free
LOWCVE-2026-4355CVSS 3.5

CVE-2026-4355: XSS in i-Educar 2.11

Platform

php

Fixed in

2.11.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Educar version 2.11. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /intranet/educarservidorcurso_lst.php file, affecting an unknown function. A public exploit is now available.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-4355 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the i-Educar interface. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly expanding the potential attack surface. The availability of a public exploit increases the likelihood of widespread exploitation.

Exploitation Context

CVE-2026-4355 has a LOW CVSS score of 3.5. A public proof-of-concept (PoC) is available, indicating a higher risk of exploitation. The vulnerability was disclosed on 2026-03-17. The vendor, Portabilis, was contacted but did not respond, which may delay the availability of a patch.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard10–15% still vulnerable

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

VendorPortabilis
Affected rangeFixed in
2.11 – 2.112.11.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 68 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-4355 is to upgrade to a patched version of i-Educar. As no fixed version is provided, consider implementing input validation and sanitization on the 'Name' parameter in /intranet/educarservidorcurso_lst.php to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update security policies to address emerging threats.

How to fix

Update to a patched version or apply the security measures provided by the vendor to mitigate the XSS vulnerability. Since the vendor has not responded, it is recommended to review and sanitize the inputs of the 'Name' argument in the file /intranet/educar_servidor_curso_lst.php.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4355 — XSS in i-Educar 2.11?

CVE-2026-4355 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar version 2.11, allowing attackers to inject malicious scripts via the 'Name' parameter in a specific file.

Am I affected by CVE-2026-4355 in i-Educar 2.11?

If you are using Portabilis i-Educar version 2.11, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.

How do I fix CVE-2026-4355 in i-Educar 2.11?

Upgrade to a patched version of i-Educar. Until a patch is released, implement input validation and sanitization on the 'Name' parameter and consider using a WAF.

Is CVE-2026-4355 being actively exploited?

A public proof-of-concept exists, suggesting a higher likelihood of active exploitation. Monitor your systems for suspicious activity.

Where can I find the official Portabilis advisory for CVE-2026-4355?

Check the Portabilis website and security advisories for updates regarding CVE-2026-4355. As of the disclosure date, no advisory has been published.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs